Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
815
Views
0
Helpful
0
Comments

The PIX Firewall does not clear the translation table automatically, as defined by the xlate timer

TCC_2
Level 10
Level 10

‎06-22-2009 05:04 PM - edited ‎03-08-2019 06:20 PM

Core issue

The flow of traffic from the hosts and workstations behind the PIX Firewall to the Internet is interrupted in this situation. The flow is interrupted because PIX does not follow the xlate timer defined with the xlate timeout command.

The translation entries do not time out properly, and they fill up the connections. This leaves no available resources for new connections. Only after a clear xlate command is issued are new connections possible.

Resolution

When experiencing this issue, collect these outputs to help determine whether Cisco bug ID CSCdy58717 or bug ID CSCec47609 applies to the problem:

  • The sh conn count command output shows a large number of connections.  

       
  • The sh conn command output shows that the idle time of some connections exceeds the configured timeout.  

       
  • The sh timeout command output shows the timeout value configured on the PIX for connections and xlates.

Performance through the PIX can be adversely affected by idle connections, xlates that are not cleared by the PIX, and the fact that the PIX does not reclaim these resources. Symptoms, such as high CPU usage and memory allocation errors, can be observed. Also, new connections through the PIX are denied.

One or more of these messages could be logged in the PIX syslog. These messages could point to the PIX hitting one of the bugs mentioned in the document:

  • %PIX-3-202001: Out of address translation slots!  

       
  • %PIX-3-211001: Memory allocation Error  

       
  • %PIX-3-201008: The PIX is disallowing new connections.  

       
  • %PIX-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port

If any of these symptoms are observed, take the output of the show version command from the PIX. This output can help to identify the code running on the PIX. To resolve the issue, update the code running on the PIX to the corresponding fixed release, as stated in the details of the bug.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents