[nsp] PIX xlate timeouts

[Voll, Scott]

We are using the following and not having any problems

timeout xlate 3:00:00
timeout conn 5:00:00 half-closed 1193:00:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00

But we also are using PAT.  Any reason for not using PAT???

global (OUTSIDE) 1 x.x.x.x
global (OUTSIDE) 1 x.x.x.x

The half close was due to a bad program that kept disconnecting.
Probably a little over kill.

--scott


-----Original Message-----
From: Matt Stevens [mailto:matt at scoe.org] 
Sent: Tuesday, March 11, 2003 2:38 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] PIX xlate timeouts


What timeout settings are others using on their PIX? We're running into
issues where we're using up all the addresses in our pool (we have about
a /20 worth of addresses in the pool) because xlate slots aren't timing
out until evening hours when load drops.

Here's what we're using currently:
xlate 1:00:00
conn 0:45:00
half-closed 0:10:00
udp 0:02:00
rpc 0:10:00
h323 0:00:00
sip 0:30:00
sip_media 0:02:00

This is with PIX 6.2 - in the past we've had problems where certain
combinations of timeout values cause the PIX to not flush xlate slots at
all, resulting in a constant depletion of addresses in the pool. I've
never been able to nail down an exact explanation of how the different
values interact, which makes it hard to properly tweak them.

Anyone?
--
matt

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/