xconn value is set to 30min (temp)

conn value set to 30min (temp)

show xlate doesn't really show anything out of the ordinary..There are multiple hosts, although some host have multiple translates..

Shouldn't these xlates timeout after 30 mintues then drop..

Thanks for the reply

Xlate will be dropped after 30 minutes of idle (inactivity).

Since timeout value are equal between xlate and conn. I'd give it a BIG try by increasing xlate timeout to 00:40:00.

May be a reload of your pix would be good.

Anybody have a better idea.

What version of PIX do you run ?

Did the config used to work fine? If so you may want to check http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html

Just a little bit brainstorming:

PAT uses different default timeouts than NAT (30 seconds versus 3 hours). 30 seconds are used to save ressources: If PAT is in use, every session needs its own xlate, because we need ip addresses and port numbers!

I am not shure if there is a nob to change the default timeout for xlates which are based on PAT.

What about License:

- Do you use a UR license?

- Do you use a pix 501 with a 10 user license?

Edgar

Hi,

I'm facing same problem and I using pix 515. Did you have setup syslog server for your pix and using the tcp port for connection. If yes, please try to disable it, it will change back to normal. Try!

Raymond