Showing results for 
Search instead for 
Did you mean: 

Ask the Expert- SD-WAN

On the PIX 500 Series Firewall with software version 6.x, the idle xlate entries do not time out


Core issue

This behavior is documented in Cisco bug ID CSCdy58717.

TCP/UDP connections do not time out. This prevents translation (xlate) entries from timing out as well. Issue these commands in order to check whether connections do not time out:

  • show connection count Shows a large number of connections.

  • show timeout Shows the idle timeout value.

The connection timeout value must not be larger than the timeout value for the idle connections.


As a workaround, perform either of these two tasks:

  • If this condition takes a long time to develop, then reload the PIX.

    For example, this workaround is appropriate if this issue only occurs several weeks after the PIX reloads.

  • If this condition takes a shorter time to develop, then issue the clear xlate command.

    This workaround is appropriate if this issue occurs only a couple of days after PIX reloads, or if a frequent reload is not a feasible workaround.

    If the clear xlate command does not clear all non-timing out connections, issue the clear local-host command.

As an alternative, download and upgrade the software version to the latest available version.