[nsp] PIX xlate timeouts - CSCdy58717

Brandon Psmythe Brandon.Psmythe at netiq.com
Thu Mar 13 17:17:33 EST 2003 

Cisco will happily give you an engineering release if you ask nicley (and
have smartnet / warranty on the pix).  I personally have had too many issues
with the 6.2 line of code to trust an engineering release.  

We have had two unexpected outages due to CSCdy58717.  For us it takes a one
to two weeks before a pix515 starts refusing connections, and a week or a
little less than a week on a 525 (of course there are more people, hence
connections, behind our 525s and 535s).  I am gathing current connection
counts for all our pixes via snmp.  A small perls script reads the data and
lets me know if current connections is steadily increasing, and then I can
schedule a reboot.  If you are running a pair of pixes in failover, make the
secondary active (the secondary will then kill all the connections since it
will realize they have timed out), reboot the primary, then fail back (that
last part if you want).  With the redundant pix setup, the outage is then
only seconds long.

-brandon


-----Original Message-----
From: Joel Lafleur [mailto:joel at rim.net] 
Sent: Wednesday, March 12, 2003 10:29 AM
To: Voll, Scott; Matt Stevens; cisco-nsp at puck.nether.net
Subject: RE: [nsp] PIX xlate timeouts


Watch out for CSCdy58717, "xlate table does not timeout entries.Need clear
xlate to work."  First found in 6.2(2) and no publicly available fixed
version.

Joel

> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: March 11, 2003 5:39 PM
> To: Matt Stevens; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] PIX xlate timeouts
> 
> 
> We are using the following and not having any problems
> 
> timeout xlate 3:00:00
> timeout conn 5:00:00 half-closed 1193:00:00 udp 0:02:00 rpc
> 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> 
> But we also are using PAT.  Any reason for not using PAT???
> 
> global (OUTSIDE) 1 x.x.x.x
> global (OUTSIDE) 1 x.x.x.x
> 
> The half close was due to a bad program that kept disconnecting. 
> Probably a little over kill.
> 
> --scott
> 
> 
> -----Original Message-----
> From: Matt Stevens [mailto:matt at scoe.org]
> Sent: Tuesday, March 11, 2003 2:38 PM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] PIX xlate timeouts
> 
> 
> What timeout settings are others using on their PIX? We're
> running into
> issues where we're using up all the addresses in our pool (we 
> have about
> a /20 worth of addresses in the pool) because xlate slots 
> aren't timing
> out until evening hours when load drops.
> 
> Here's what we're using currently:
> xlate 1:00:00
> conn 0:45:00
> half-closed 0:10:00
> udp 0:02:00
> rpc 0:10:00
> h323 0:00:00
> sip 0:30:00
> sip_media 0:02:00
> 
> This is with PIX 6.2 - in the past we've had problems where certain 
> combinations of timeout values cause the PIX to not flush xlate slots 
> at all, resulting in a constant depletion of addresses in the pool. 
> I've never been able to nail down an exact explanation of how the 
> different values interact, which makes it hard to properly tweak them.
> 
> Anyone?
> --
> matt
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list