[nsp] PIX xlate timeouts - CSCdy58717

Voralt peder at voralt.net
Tue Mar 25 20:10:21 EST 2003


6.3(1) was released today and this is listed as a resolved caveat.


----- Original Message -----
From: "Brandon Psmythe" <Brandon.Psmythe at netiq.com>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, March 13, 2003 7:17 PM
Subject: RE: [nsp] PIX xlate timeouts - CSCdy58717


> Cisco will happily give you an engineering release if you ask nicley (and
> have smartnet / warranty on the pix).  I personally have had too many
issues
> with the 6.2 line of code to trust an engineering release.
>
> We have had two unexpected outages due to CSCdy58717.  For us it takes a
one
> to two weeks before a pix515 starts refusing connections, and a week or a
> little less than a week on a 525 (of course there are more people, hence
> connections, behind our 525s and 535s).  I am gathing current connection
> counts for all our pixes via snmp.  A small perls script reads the data
and
> lets me know if current connections is steadily increasing, and then I can
> schedule a reboot.  If you are running a pair of pixes in failover, make
the
> secondary active (the secondary will then kill all the connections since
it
> will realize they have timed out), reboot the primary, then fail back
(that
> last part if you want).  With the redundant pix setup, the outage is then
> only seconds long.
>
> -brandon
>
>
> -----Original Message-----
> From: Joel Lafleur [mailto:joel at rim.net]
> Sent: Wednesday, March 12, 2003 10:29 AM
> To: Voll, Scott; Matt Stevens; cisco-nsp at puck.nether.net
> Subject: RE: [nsp] PIX xlate timeouts
>
>
> Watch out for CSCdy58717, "xlate table does not timeout entries.Need clear
> xlate to work."  First found in 6.2(2) and no publicly available fixed
> version.
>
> Joel
>
> > -----Original Message-----
> > From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> > Sent: March 11, 2003 5:39 PM
> > To: Matt Stevens; cisco-nsp at puck.nether.net
> > Subject: RE: [nsp] PIX xlate timeouts
> >
> >
> > We are using the following and not having any problems
> >
> > timeout xlate 3:00:00
> > timeout conn 5:00:00 half-closed 1193:00:00 udp 0:02:00 rpc
> > 0:10:00 h323
> > 0:05:00 sip 0:30:00 sip_media 0:02:00
> >
> > But we also are using PAT.  Any reason for not using PAT???
> >
> > global (OUTSIDE) 1 x.x.x.x
> > global (OUTSIDE) 1 x.x.x.x
> >
> > The half close was due to a bad program that kept disconnecting.
> > Probably a little over kill.
> >
> > --scott
> >
> >
> > -----Original Message-----
> > From: Matt Stevens [mailto:matt at scoe.org]
> > Sent: Tuesday, March 11, 2003 2:38 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [nsp] PIX xlate timeouts
> >
> >
> > What timeout settings are others using on their PIX? We're
> > running into
> > issues where we're using up all the addresses in our pool (we
> > have about
> > a /20 worth of addresses in the pool) because xlate slots
> > aren't timing
> > out until evening hours when load drops.
> >
> > Here's what we're using currently:
> > xlate 1:00:00
> > conn 0:45:00
> > half-closed 0:10:00
> > udp 0:02:00
> > rpc 0:10:00
> > h323 0:00:00
> > sip 0:30:00
> > sip_media 0:02:00
> >
> > This is with PIX 6.2 - in the past we've had problems where certain
> > combinations of timeout values cause the PIX to not flush xlate slots
> > at all, resulting in a constant depletion of addresses in the pool.
> > I've never been able to nail down an exact explanation of how the
> > different values interact, which makes it hard to properly tweak them.
> >
> > Anyone?
> > --
> > matt
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list