Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
849
Views
0
Helpful
0
Comments

On the PIX 500 Series Firewall with software version 6.x, the idle xlate entries do not time out

TCC_2
Level 10
Level 10

‎06-18-2009 03:49 PM - edited ‎03-08-2019 06:03 PM

Core issue

This behavior is documented in Cisco bug ID CSCdy58717.

TCP/UDP connections do not time out. This prevents translation (xlate) entries from timing out as well. Issue these commands in order to check whether connections do not time out:

  • show connection count Shows a large number of connections.

  • show timeout Shows the idle timeout value.

The connection timeout value must not be larger than the timeout value for the idle connections.

Resolution

As a workaround, perform either of these two tasks:

  • If this condition takes a long time to develop, then reload the PIX.

    For example, this workaround is appropriate if this issue only occurs several weeks after the PIX reloads.

  • If this condition takes a shorter time to develop, then issue the clear xlate command.

    This workaround is appropriate if this issue occurs only a couple of days after PIX reloads, or if a frequent reload is not a feasible workaround.

    If the clear xlate command does not clear all non-timing out connections, issue the clear local-host command.

As an alternative, download and upgrade the software version to the latest available version.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents