Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
0
Helpful
3
Replies

regular translation creation failed on fwsm without NAT

kennet
Level 1
Level 1

‎06-05-2008 06:58 AM - edited ‎03-11-2019 05:55 AM

I have a fwsm which is used the connect a number of VRFs. Basically the fwsm functions as a router.

fwsm version 3.2(6) just upgraded from 3.2(1).

Occasionally i get the following error in my log: "%FWSM-3-305006: regular translation failed"

I have configured ACLs that permit all traffic from any to any on each interface.

All interfaces have the same security level.

I don't have NAT configured, nat-control is disabled.

And "same-security-traffic permit inter-interface" is enabled.

Any ideas why?

/Kennet

Labels:
0 Helpful
3 Replies 3

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-05-2008 08:51 AM

This is what Cisco has to say:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/s1.html#wp2655928

"We recommend that you do not make the outside interface (for example, where you access the Internet) on the same security level as your inside interfaces. On the FWSM, all connections have an associated xlate entry (even when you do not explicitly configure NAT). Xlates are normally created for connections between the inside interface and any lower security interface. In a same-security-traffic configuration, the FWSM randomly chooses which same-security interface is the "inside" interface for the sake of creating xlates. This selection may change later after a reload or after a software upgrade. If the FWSM considers the outside same-security interface as the "inside" interface, it creates xlates for every Internet host being accessed through it.

If there is any application (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted (see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for xlate limits). After that, the FWSM will stop creating new xlates, logging error message %FWSM-3-305006: ("translation creation failed") for every new connection. The show resource usage command will show the number of active xlates equal or close to the limit. The clear xlate command will temporarily recover connectivity.

To avoid this situation, we recommend that the outside interface should always have security level lower than any other FWSM interface. This configuration guarantees that the FWSM always considers the ISP link as an outside interface. In this case, only one xlate will be created for every application or virus scanning Internet hosts from the inside network. No xlates will be created for Internet hosts being scanned."

Regards

Farrukh

0 Helpful

kennet
Level 1
Level 1
In response to Farrukh Haroon

‎06-05-2008 09:05 AM

The fwsm is not conncted to the Internet. Although there is a default route pointing to another firewall which serves as Inetrnet firewall.

Each interface on the fwsm connects to a vrf. Each vrf represents a company in a merger. In the future we will use the fwsm as a prober firewall to segment parts of the company.

Output from "sh resource usage"

Xlates 43840 45142 unlimited 0 System

Is there a limit?

/Kennet

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to kennet

‎06-05-2008 09:15 AM

Have a look at this:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.html#wp1055791

NAT translations (xlates), concurrent

Single Mode: 256 K

Multiple Mode: 256 K divided between all contexts

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card