- Posts: 23
- Thank you received: 0
Xlate issue
- calicutbobby
- Topic Author
- Offline
- Junior Member
Less
More
16 years 11 months ago #24224
by calicutbobby
Xlate issue was created by calicutbobby
We have a fwsm (FWSM Firewall Version 3.2(2) with multiple VLANs configured. We have a server on one of the VLANs with the ip say 192.168.1.1. Backup of servers on othre VLANs are taken on this serer and hence we have opened the port range 22000 22009.
The problem we are facing is that for on of the server in one of the VLANs backup fails frequently and this needs to be solved by using the command "clear xlate local 192.168.1.1". Backup of other servers in the same VLAN happens without much problems.
Once cleared the backup works fine. Can anyone provide a solution for this.
The problem we are facing is that for on of the server in one of the VLANs backup fails frequently and this needs to be solved by using the command "clear xlate local 192.168.1.1". Backup of other servers in the same VLAN happens without much problems.
Once cleared the backup works fine. Can anyone provide a solution for this.
16 years 10 months ago #24538
by ramasamy
Replied by ramasamy on topic Re: Xlate issue
Hi,
It is posiable that xlate table might be full because of a long time out or huge traffic. Do one to one NAT the the same IP address for example if the server IP address is 1.1.1.1 do NAT with the same IP address as NAT is mandotary in PIX.
If your are using the ASA version of IOS in FWSM then use the "no nat-control" to remove the NAT mandatory.
It is posiable that xlate table might be full because of a long time out or huge traffic. Do one to one NAT the the same IP address for example if the server IP address is 1.1.1.1 do NAT with the same IP address as NAT is mandotary in PIX.
If your are using the ASA version of IOS in FWSM then use the "no nat-control" to remove the NAT mandatory.
16 years 9 months ago #25114
by bobb
Replied by bobb on topic Re: Xlate issue
Im having the exact same issue, FWSM (3.1(3)4) Randomly a server will stop responding. Viewing the xlate at the time of impairment seems to always show 3 duplicate xlate entries. I clear the specific xlate and continue for a few more days or weeks. I have provided cisco much detail on this and havent had any luck with the TAC. Im hopeful that the new xlate bypass feature will fix this. After being burned w/ FWSM upgrades in the past Im waiting for the safe harbor release scheduling to begin testing soon.
- calicutbobby
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 23
- Thank you received: 0
16 years 8 months ago #25302
by calicutbobby
Replied by calicutbobby on topic Re: Xlate issue
We have not found any solution yet. can someone please help?
16 years 8 months ago #25304
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Xlate issue
I had a similar problem with a customer and managed to bypass it by setting the xlate table timeout to 3 hours:
timeout xlate 3:00:00
My suggestion is to try setting your xlate to something like 3 hours or less and see what the results will be.
Cheers,
timeout xlate 3:00:00
My suggestion is to try setting your xlate to something like 3 hours or less and see what the results will be.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
- calicutbobby
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 23
- Thank you received: 0
16 years 8 months ago #25323
by calicutbobby
Replied by calicutbobby on topic Re: Xlate issue
Thanks for the advice Chris, but the current timout is alread configured for 3 only (timeout xlate 3:00:00). Did a few analysis and was able to find more details:
We have a fwsm (FWSM Firewall Version 3.2(2) with multiple VLANs configured. We have a server (say BACKUPSERVER.DOMAIN.COM) on one of the VLANs with a security level 98. Backup of servers on other VLANs are taken on to this server and hence we have opened the port range 22000 22009.
The problem we are facing is that for one of the server which is in a lower security zone compared to BACKUPSERVER.DOMAIN.COM backup fails frequently. However clearing the xlate table using the command “clear xlate local ipaddress_BACKUPSERVERDOMAINCOM” resolves the issue and the backup initiates and is completed successfully. This shows that the configuration (ie. access-lists and nat statements) in place are correct.
Backup of other servers which are in higher security level is also being taken. But this is completed successfully without any issues.
So request help in getting this issue resolved.
We have a fwsm (FWSM Firewall Version 3.2(2) with multiple VLANs configured. We have a server (say BACKUPSERVER.DOMAIN.COM) on one of the VLANs with a security level 98. Backup of servers on other VLANs are taken on to this server and hence we have opened the port range 22000 22009.
The problem we are facing is that for one of the server which is in a lower security zone compared to BACKUPSERVER.DOMAIN.COM backup fails frequently. However clearing the xlate table using the command “clear xlate local ipaddress_BACKUPSERVERDOMAINCOM” resolves the issue and the backup initiates and is completed successfully. This shows that the configuration (ie. access-lists and nat statements) in place are correct.
Backup of other servers which are in higher security level is also being taken. But this is completed successfully without any issues.
So request help in getting this issue resolved.
Time to create page: 0.282 seconds