PIXOS 7.0(4) , problem with statefull xlate information

primero · ‎11-18-2005

Hi all Forum.

I've got a pair of pix515 with a fresh 7.0(4) PIXOS configured in statefull failover configuration with Serial Based failover connection.

Looking at the Syslog message i repeatly see message from the standby unit like this:

%PIX-3-210007: LU allocate xlate failed

On cisco syslog message list it's written :

Error Message %PIX|ASA-3-210007: LU allocate xlate failed

Explanation Stateful Failover failed to allocate a translation (xlate) slot record.

Recommended Action Check the available memory by using the show memory command to make sure that the Cisco ASA has free memory in the system. If no memory is available, add more memory.

But it's not the case because the available memory is huge (70% of the total memory) and block count are good too.

Each time the message appears in Log i see in the failover statistic the "rerr" voice for TCP and UDP Connection is incremented.

I've tried various version of software of the 7.0 series but the problem is always present.

I would think about an Hardware problem but the interface statistic shows no error ... so i would think about a Software problem but this pair of firewall is the only one that has this beahviour.

Does anyone had experience like this ?

Thanks in advance

Francesco Ciocchetti

nkhawaja · ‎11-19-2005

is your statefull link a dedicagted link? do you have HTTP statefull enabled?

thanks

Nadeem

primero · ‎11-21-2005

Yes my statefull Link is dedicated with a XOver Eth Cable.

I've not enabled http statefull, first because i don't know what it is (gonna check it now) second because other pairs of 7.0(x) of PIX works fine as expected in the same configuration of this.

Thanks

Francesco Ciocchetti

primero · ‎11-21-2005

Working with Debug i've discovered that each time the message appear in syslog the "debug fover fail" on the Standby unit show:

Failed to rep un_xlate for np/port/id/3/-1 10.243.65.32/123 - np/port/id/2/-1 10.243.65.135/123 flg: 1000 20 00002

The source differs from message to message but the destination is always the same ...

This connections are inbound (lower to higher sec level) and the mapping is done with a STATIC using the same IP on the real network and the static on the source network.

The destination 10.243.65.135 seems to be the only one that gives this problem even if other 5 static equal to this one with the same low level zone and high level zone are configured and correctly working.

nkhawaja · ‎11-22-2005

123 is NTP, is your server set for NTP? may be this is what you have to live with it. try to do a "wr standby"

thanks

Nadeem

dro · ‎03-20-2006

I'm having the same problem on a pair of 525's. I upgraded them over the weekend to 7.0(4) and the same PIX-3-210005 error messages are logged on my failover.

Checking my debug, these only occur with NTP and SNMP packets. The NTP data is originating from my remote PIX's over a VPN to the 525's and reaching an Internal NTP server.

The SNMP data is originating from internal hosts sent over the VPN to the remote PIX's.

Failed to create rev flow (dropped) np/port/id/0/-1: xx.xx.xx.226/123 - np/port/id/1/-1: 172.16.11.1/123

%PIX-3-210005: LU allocate connection failed

Failed to create flow (dropped) for np/port/id/1/-1: 172.16.11.59/36307 - np/port/id/0/-1: yy.yy.yy.205/161

%PIX-3-210005: LU allocate connection failed