[nsp] PIX xlate timeouts

Joel Lafleur joel at rim.net
Wed Mar 12 13:28:49 EST 2003 

Watch out for CSCdy58717, "xlate table does not timeout entries.Need clear xlate to work."  First found in 6.2(2) and no publicly available fixed version.

Joel

> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: March 11, 2003 5:39 PM
> To: Matt Stevens; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] PIX xlate timeouts
> 
> 
> We are using the following and not having any problems
> 
> timeout xlate 3:00:00
> timeout conn 5:00:00 half-closed 1193:00:00 udp 0:02:00 rpc 
> 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> 
> But we also are using PAT.  Any reason for not using PAT???
> 
> global (OUTSIDE) 1 x.x.x.x
> global (OUTSIDE) 1 x.x.x.x
> 
> The half close was due to a bad program that kept disconnecting.
> Probably a little over kill.
> 
> --scott
> 
> 
> -----Original Message-----
> From: Matt Stevens [mailto:matt at scoe.org] 
> Sent: Tuesday, March 11, 2003 2:38 PM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] PIX xlate timeouts
> 
> 
> What timeout settings are others using on their PIX? We're 
> running into
> issues where we're using up all the addresses in our pool (we 
> have about
> a /20 worth of addresses in the pool) because xlate slots 
> aren't timing
> out until evening hours when load drops.
> 
> Here's what we're using currently:
> xlate 1:00:00
> conn 0:45:00
> half-closed 0:10:00
> udp 0:02:00
> rpc 0:10:00
> h323 0:00:00
> sip 0:30:00
> sip_media 0:02:00
> 
> This is with PIX 6.2 - in the past we've had problems where certain
> combinations of timeout values cause the PIX to not flush 
> xlate slots at
> all, resulting in a constant depletion of addresses in the pool. I've
> never been able to nail down an exact explanation of how the different
> values interact, which makes it hard to properly tweak them.
> 
> Anyone?
> --
> matt
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list