Not expereincing any problems when I took these stats.  Could we be reaching the limit for sessions behind one NAT IP address?        

LEX5-Firewall# sho xlate count

42710 in use, 48835 most used

LEX5-Firewall# sho conn count

36936 in use, 41027 most used

LEX5-Firewall# sho perfmon

PERFMON STATS:                     Current      Average

Xlates                              338/s        347/s

Connections                         388/s        431/s

TCP Conns                           323/s        338/s

UDP Conns                            62/s         90/s

URL Access                          181/s        184/s

URL Server Req                        0/s          0/s

TCP Fixup                         21936/s          0/s

TCP Intercept Established Conns       0/s          0/s

TCP Intercept Attempts                0/s          0/s

TCP Embryonic Conns Timeout           3/s          3/s

HTTP Fixup                        21936/s        618/s

FTP Fixup                             0/s          0/s

AAA Authen                            0/s          0/s

AAA Author                            0/s          0/s

AAA Account                           0/s          0/s

VALID CONNS RATE in TCP INTERCEPT:    Current      Average

                                       N/A         96.00%

Hi,

It does seem you have quite abit of connections active on the ASA.

Though that being said it still to my understanding shouldnt even be close to reaching the limit.

Also the fact that you have 2 Public IP address configured with the "global" command using the same "ID" number of the NAT configuration. This should mean that you should have more than enough resources.

I guess if you have some spare public IP addresses you could try adding a third PAT IP address with the "global" configuration command and see if theres any change in the situation.

I fear that this is one of the things where a person outside of Cisco might have problems troubleshooting wihtout trying to lab and reproduce the situation. But to be honest I havent looked at the this kind of situations that much and the few times I have, it have run into the problem that the firewall has been running too old software to actually get some clear output. Thats why I mentioned the "show nat pool" command from newer software.

For example output from my little ASA5505 running a newer software

ASA# show nat pool | inc WAN

TCP PAT pool WAN, address x.x.x.x, range 1-511, allocated 3

TCP PAT pool WAN, address x.x.x.x4, range 512-1023, allocated 0

TCP PAT pool WAN, address x.x.x.x, range 1024-65535, allocated 46

UDP PAT pool WAN, address x.x.x.x, range 1-511, allocated 17

UDP PAT pool WAN, address x.x.x.x, range 512-1023, allocated 0

UDP PAT pool WAN, address x.x.x.x, range 1024-65535, allocated 16

Where

• WAN = My "outside" interface
• x.x.x.x = My "WAN" interface IP address

I dont know if there is a similiar command on your software. I would check the available parameters on the "show xlate" and "show nat" commands.

Also the command reference for your software should list the command parameters if you want to check.

But as I said I would probably see if I could add a third PAT IP address and see if it has any kind of effect on the problem. Or perhaps wait if someone from Cisco has run into this before and would have good commands to troubleshoot this issue.

- Jouni

LEX5-Firewall# sho run | i timeout

arp timeout 14400

timeout xlate 24:00:00

timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

telnet timeout 10

ssh timeout 5

console timeout 0

vpn-idle-timeout 45

vpn-session-timeout none

Hi,

Well just to compare the stats that we have at our customer range from 3 hours to 9 hours. (for xlate)

In the normal situation I would imagine that the translation is torn down after the connection is removed but I guess it wouldnt really hurt to lower the xlate timeout to perhaps closer to the connection timeout.

Though as I said if you would want to test with least amount of impact to current operation you could try adding additional PAT IP addresses using the same in the "global" configuration and monitor of the problem continues.

Then again the "show xlate count" should already tell the "most used" value for the firewall unless they firewall has rebooted (but I doubt it?)

- Jouni

We did reboot the firewall because that was the "fix".

:/

So all the counts were reset.  That most used count above was within 15 minutes of rebooting this afternoon.

I'll find out tomorrow if it happens again.  Thanks for the info!