pix 6.3(3) xlate timeout

wsitu · ‎06-10-2004

Pix 515E running 6.3(3) code. xlate timeout is set to default = 3 hours. there hasn't been any activity for days. current "show conn" shows no connections. however, the xlate table is full of old entries. should the xlate entries be flushed after 3 hours of inactivity?

ehirsel · ‎06-10-2004

Please run the show timeout, the show xlate, and the show static commands and post the results here. Looking at that info, may give a clue as to what your issue is.

Also, are you running the pix in failover mode, or is there only one unit? If in failover mode, run the commands on the active unit.

wsitu · ‎06-10-2004

Thanks for the response.

There are no static entries. Pix is not in failover mode, single unit. Here is the sh timeout and sh xlate.

Inet-Ext-Pix# sh timeout

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:05:00 udp 0:01:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

Inet-Ext-Pix# sh xlate

229 in use, 229 most used

Global 165.172.8.237 Local 10.1.1.23

Global 165.172.8.38 Local 10.1.1.44

Global 165.172.8.115 Local 10.1.1.134

Global 165.172.8.54 Local 10.1.1.64

Global 165.172.8.187 Local 10.1.1.207

Global 165.172.8.180 Local 10.1.1.200

Global 165.172.8.18 Local 10.1.1.16

Global 165.172.8.118 Local 10.1.1.136

Global 165.172.8.31 Local 10.1.1.37

Global 165.172.8.208 Local 10.1.1.233

Global 165.172.8.189 Local 10.1.1.209

Global 165.172.8.235 Local 10.1.1.21

Global 165.172.8.244 Local 10.1.1.76

Global 165.172.8.25 Local 10.1.1.28

Global 165.172.8.113 Local 10.1.1.131

Global 165.172.8.42 Local 10.1.1.52

Global 165.172.8.46 Local 10.1.1.55

Global 165.172.8.114 Local 10.1.1.132

Global 165.172.8.50 Local 10.1.1.60

Global 165.172.8.24 Local 10.1.1.27

Global 165.172.8.155 Local 10.1.1.174

Global 165.172.8.101 Local 10.1.1.117

Global 165.172.8.58 Local 10.1.1.68

Global 165.172.8.173 Local 10.1.1.192

Global 165.172.8.209 Local 10.1.1.234

Global 165.172.8.140 Local 10.1.1.157

Global 165.172.8.77 Local 10.1.1.92

Global 165.172.8.228 Local 10.1.1.254

Global 165.172.8.122 Local 10.1.1.140

Global 165.172.8.157 Local 10.1.1.176

Global 165.172.8.62 Local 10.1.1.72

Global 165.172.8.34 Local 10.1.1.39

Global 165.172.8.99 Local 10.1.1.115

Global 165.172.8.171 Local 10.1.1.191

Global 165.172.8.148 Local 10.1.1.165

Global 165.172.8.75 Local 10.1.1.90

Global 165.172.8.215 Local 10.1.1.241

Global 165.172.8.194 Local 10.1.1.214

Global 165.172.8.204 Local 10.1.1.227

Global 165.172.8.86 Local 10.1.1.100

Global 165.172.8.21 Local 10.1.1.24

Global 165.172.8.110 Local 10.1.1.127

Global 165.172.8.92 Local 10.1.1.107

Global 165.172.8.116 Local 10.1.1.135

Global 165.172.8.219 Local 10.1.1.239

Global 165.172.8.135 Local 10.1.1.152

Global 165.172.8.198 Local 10.1.1.218

Global 165.172.8.82 Local 10.1.1.96

Global 165.172.8.164 Local 10.1.1.183

Global 165.172.8.106 Local 10.1.1.123

Global 165.172.8.221 Local 10.1.1.246

Global 165.172.8.68 Local 10.1.1.82

Global 165.172.8.183 Local 10.1.1.204

Global 165.172.8.43 Local 10.1.1.49

Global 165.172.8.37 Local 10.1.1.42

Global 165.172.8.51 Local 10.1.1.61

Global 165.172.8.132 Local 10.1.1.149

Global 165.172.8.137 Local 10.1.1.154

Global 165.172.8.45 Local 10.1.1.54

Global 165.172.8.161 Local 10.1.1.180

Inet-Ext-Pix# sh conn

0 in use, 4486 most used

scoclayton · ‎06-10-2004

I am not aware of any known issues in the PIX 6.3(3) code. Can you post the results of a 'sh xlate debug' for review?

Scott

wsitu · ‎06-11-2004

Inet-Ext-Pix# sh xlate debug

229 in use, 229 most used

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,

o - outside, r - portmap, s - static

NAT from inside:10.1.1.23 to outside:165.172.8.237 flags - idle 0:02:32 timeout 3:00:00

NAT from inside:10.1.1.44 to outside:165.172.8.38 flags - idle 0:02:43 timeout 3:00:00

NAT from inside:10.1.1.134 to outside:165.172.8.115 flags - idle 0:02:35 timeout 3:00:00

NAT from inside:10.1.1.64 to outside:165.172.8.54 flags - idle 0:02:39 timeout 3:00:00

NAT from inside:10.1.1.207 to outside:165.172.8.187 flags - idle 0:02:31 timeout 3:00:00

NAT from inside:10.1.1.200 to outside:165.172.8.180 flags - idle 0:02:32 timeout 3:00:00

NAT from inside:10.1.1.16 to outside:165.172.8.18 flags - idle 0:02:41 timeout 3:00:00

NAT from inside:10.1.1.136 to outside:165.172.8.118 flags - idle 0:02:35 timeout 3:00:00

NAT from inside:10.1.1.37 to outside:165.172.8.31 flags - idle 0:02:40 timeout 3:00:00

NAT from inside:10.1.1.233 to outside:165.172.8.208 flags - idle 0:02:30 timeout 3:00:00

NAT from inside:10.1.1.209 to outside:165.172.8.189 flags - idle 0:02:31 timeout 3:00:00

NAT from inside:10.1.1.21 to outside:165.172.8.235 flags - idle 0:02:29 timeout 3:00:00

NAT from inside:10.1.1.76 to outside:165.172.8.244 flags - idle 0:02:29 timeout 3:00:00

NAT from inside:10.1.1.28 to outside:165.172.8.25 flags - idle 0:02:40 timeout 3:00:00

NAT from inside:10.1.1.131 to outside:165.172.8.113 flags - idle 0:02:35 timeout 3:00:00

NAT from inside:10.1.1.52 to outside:165.172.8.42 flags - idle 0:02:40 timeout 3:00:00

NAT from inside:10.1.1.55 to outside:165.172.8.46 flags - idle 0:02:40 timeout 3:00:00

NAT from inside:10.1.1.132 to outside:165.172.8.114 flags - idle 0:02:35 timeout 3:00:00

NAT from inside:10.1.1.60 to outside:165.172.8.50 flags - idle 0:02:40 timeout 3:00:00

NAT from inside:10.1.1.27 to outside:165.172.8.24 flags - idle 0:02:43 timeout 3:00:00

NAT from inside:10.1.1.174 to outside:165.172.8.155 flags - idle 0:02:33 timeout 3:00:00

NAT from inside:10.1.1.117 to outside:165.172.8.101 flags - idle 0:02:41 timeout 3:00:00

NAT from inside:10.1.1.68 to outside:165.172.8.58 flags - idle 0:02:44 timeout 3:00:00

NAT from inside:10.1.1.192 to outside:165.172.8.173 flags - idle 0:02:38 timeout 3:00:00

NAT from inside:10.1.1.234 to outside:165.172.8.209 flags - idle 0:02:35 timeout 3:00:00

NAT from inside:10.1.1.157 to outside:165.172.8.140 flags - idle 0:02:40 timeout 3:00:00

NAT from inside:10.1.1.92 to outside:165.172.8.77 flags - idle 0:02:43 timeout 3:00:00

NAT from inside:10.1.1.254 to outside:165.172.8.228 flags - idle 0:02:35 timeout 3:00:00

NAT from inside:10.1.1.140 to outside:165.172.8.122 flags - idle 0:02:40 timeout 3:00:00

NAT from inside:10.1.1.176 to outside:165.172.8.157 flags - idle 0:02:42 timeout 3:00:00

NAT from inside:10.1.1.72 to outside:165.172.8.62 flags - idle 0:02:44 timeout 3:00:00

NAT from inside:10.1.1.39 to outside:165.172.8.34 flags - idle 0:02:48 timeout 3:00:00

NAT from inside:10.1.1.115 to outside:165.172.8.99 flags - idle 0:02:41 timeout 3:00:00

NAT from inside:10.1.1.191 to outside:165.172.8.171 flags - idle 0:02:38 timeout 3:00:00

NAT from inside:10.1.1.165 to outside:165.172.8.148 flags - idle 0:02:42 timeout 3:00:00

NAT from inside:10.1.1.90 to outside:165.172.8.75 flags - idle 0:02:44 timeout 3:00:00

NAT from inside:10.1.1.241 to outside:165.172.8.215 flags - idle 0:02:35 timeout 3:00:00

NAT from inside:10.1.1.214 to outside:165.172.8.194 flags - idle 0:02:36 timeout 3:00:00

NAT from inside:10.1.1.227 to outside:165.172.8.204 flags - idle 0:02:35 timeout 3:00:00

NAT from inside:10.1.1.100 to outside:165.172.8.86 flags - idle 0:02:46 timeout 3:00:00

NAT from inside:10.1.1.24 to outside:165.172.8.21 flags - idle 0:08:56 timeout 3:00:00

NAT from inside:10.1.1.127 to outside:165.172.8.110 flags - idle 0:02:44 timeout 3:00:00

mohammed.ibrahim · ‎06-11-2004

The second last entry confirms your statement. Could be a candidate for a BUG. Get cisco TAC working on this