cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Understanding xlate and conn idle and timeout values through example

26687
Views
20
Helpful
2
Comments

 

Introduction

To put it simply, the idle timer in the conn output shows the time     since the last packet. The idle timer in the xlate shows the time     since the last conn.

The timeout value in the xlate output begins when the last conn     associated with the xlate is torn down.

 

Dynamic PAT Example Output:

ciscoasa# sh conn | i 23     

TCP outside 10.10.10.206:23 inside 192.168.1.100:3130, idle 0:00:37, bytes 173, flags UIO

ciscoasa#          sh xlat deb | i 313

TCP PAT from inside:192.168.1.100/3130 to outside:172.18.254.168/30670 flags ri idle 0:02:41 timeout 0:00:30

ciscoasa#

 

  • The TCP conn has been idle (no packets received) for 37 seconds.
  • The last TCP conn created sourced from 192.168.1.100/3130 was 2 minutes and 41 seconds ago.
  • The 30 second xlate timeout will begin when the last conn is removed.

 

Static NAT Example Output:

ciscoasa(config)# sh conn | i 23      

TCP outside 10.10.10.206:23 inside 192.168.1.150:62470, idle 0:00:05, bytes 259, flags UIO

ciscoasa(config)# sh xlat deb | i 2.150

NAT from inside:192.168.1.150 to outside:172.18.254.252 flags s idle 0:01:37 timeout 0:00:00

ciscoasa(config)#

 

  • The TCP conn has been idle (no packets received) for 5 seconds.
  • The last TCP conn created sourced from 192.168.1.100 was 1 minutes and 37 seconds ago.
  • There is no xlate timeout because a static NAT translation is configured.

 

Dynamic NAT Example Output:

 

ciscoasa(config)# sh conn | i 1.150   

TCP outside 10.10.10.206:23 inside 192.168.1.150:26631, idle 0:00:58, bytes 175, flags UIO

ciscoasa(config)# sh xlat deb | i 1.150

NAT from inside:192.168.1.150 to outside:172.18.254.253 flags i idle 0:01:08 timeout 3:00:00

ciscoasa(config)#  

 

  • The TCP conn has been idle (no packets received) for 58 seconds.
  • The last TCP conn created sourced from 192.168.1.100 was 1 minutes and 8 seconds ago.
  • The 3 hour xlate timeout will begin when the last conn is removed.
Comments
Cisco Employee

Excellent and precise explanation - to the point and well covered

Excellent post .

Adding to above  (bytes 259) this indicate how bytes of data has been transferred .