06-05-2008 06:58 AM - edited 03-11-2019 05:55 AM
I have a fwsm which is used the connect a number of VRFs. Basically the fwsm functions as a router.
fwsm version 3.2(6) just upgraded from 3.2(1).
Occasionally i get the following error in my log: "%FWSM-3-305006: regular translation failed"
I have configured ACLs that permit all traffic from any to any on each interface.
All interfaces have the same security level.
I don't have NAT configured, nat-control is disabled.
And "same-security-traffic permit inter-interface" is enabled.
Any ideas why?
/Kennet
06-05-2008 08:51 AM
This is what Cisco has to say:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/s1.html#wp2655928
"We recommend that you do not make the outside interface (for example, where you access the Internet) on the same security level as your inside interfaces. On the FWSM, all connections have an associated xlate entry (even when you do not explicitly configure NAT). Xlates are normally created for connections between the inside interface and any lower security interface. In a same-security-traffic configuration, the FWSM randomly chooses which same-security interface is the "inside" interface for the sake of creating xlates. This selection may change later after a reload or after a software upgrade. If the FWSM considers the outside same-security interface as the "inside" interface, it creates xlates for every Internet host being accessed through it.
If there is any application (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted (see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide for xlate limits). After that, the FWSM will stop creating new xlates, logging error message %FWSM-3-305006: ("translation creation failed") for every new connection. The show resource usage command will show the number of active xlates equal or close to the limit. The clear xlate command will temporarily recover connectivity.
To avoid this situation, we recommend that the outside interface should always have security level lower than any other FWSM interface. This configuration guarantees that the FWSM always considers the ISP link as an outside interface. In this case, only one xlate will be created for every application or virus scanning Internet hosts from the inside network. No xlates will be created for Internet hosts being scanned."
Regards
Farrukh
06-05-2008 09:05 AM
The fwsm is not conncted to the Internet. Although there is a default route pointing to another firewall which serves as Inetrnet firewall.
Each interface on the fwsm connects to a vrf. Each vrf represents a company in a merger. In the future we will use the fwsm as a prober firewall to segment parts of the company.
Output from "sh resource usage"
Xlates 43840 45142 unlimited 0 System
Is there a limit?
/Kennet
06-05-2008 09:15 AM
Have a look at this:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.html#wp1055791
NAT translations (xlates), concurrent
Single Mode: 256 K
Multiple Mode: 256 K divided between all contexts
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide