timeout for pat

czq · ‎11-27-2003

Hello All,

I had a question on timeout for pat.

Which can control the PAT translation slot's timeout?

I used pix 501 with 6.2(2). I setup timeout xlate to 10 minutes. It worked fine for NAT translation slot. But it didn't work for PAT translation.

Here is the information I got from the firewall.

----------------------------------------

sh xlate debug

125 in use, 15217 most used

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,

o - outside, r - portmap, s - static

UDP PAT from inside:10.1.9.133/1962 to outside:X.153.46.6/1036 flags ri idle 0:39:39 timeout 0:00:30

TCP PAT from inside:10.1.9.133/1918 to outside:X.153.46.6/1084 flags ri idle 1:21:31 timeout 0:00:30

TCP PAT from inside:10.1.9.133/1898 to outside:X.153.46.6/1068 flags ri idle 1:37:47 timeout 0:00:30

TCP PAT from inside:10.1.9.133/1879 to outside:X.153.46.6/1052 flags ri idle 1:53:57 timeout 0:00:30

TCP PAT from inside:10.1.9.133/1860 to outside:X.153.46.6/1036 flags ri idle 2:10:12 timeout 0:00:30

TCP PAT from inside:10.1.9.133/1956 to outside:X.153.46.6/1116 flags ri idle 0:48:59 timeout 0:00:30

TCP PAT from inside:10.1.9.133/1937 to outside:X.153.46.6/1100 flags ri idle 1:05:13 timeout 0:00:30

--------------------------

If xlate timeout works, the idle time of xlate reaches the setting number, this translation slot should be disconnected. But it didn't work. And the firewall translation slot always used up. It frequently got " out of address translation slot"

Any idea about it? Thanks in advance!

czq

scoclayton · ‎11-28-2003

Hi,

This is a known issue in the 6.2(2) code. The DDTS for this is CSCdy58717 - xlate table does not timeout entries.Need clear xlate to work. The good news is that this bug has been fixed in the 6.2(3) code. Can you upgrade your PIX and re-test to see that this resolves the issue you are reporting?

Thanks,

Scott