[c-nsp] ASA 8.4 error 305006 regular translation creation failed

[Jeff Kell]

Not having fun with TAC, let me ask the real experts :)

ASA-5585X running 8.4(7), recent upgrade in response to last month's
security advisories against the 8.4 code we were running...

Now getting a number of the "%ASA-3-305006 regular translation creation
failed" errors logged, typically for plain vanilla TCP connections.

Checking the logs for the internal IPs being flagged, in every case I'm
seeing the internal IP having no translation, and the 305006 is almost
immediately followed by a "%ASA-6-305009: Built dynamic translation" for
the address in question. 

We have plenty of IPs in our outside pool.  We're not close to our xlate
or connection table limits.  This seems to just happen "out of the blue".

For the failed 305006, it will list source-IP/source-port to
external-IP/external-port that failed.  This connection will never be
established.  The follow-up 305009 will create the translation, then
there will be a normal connection logged from the same
source-IP/different-source-port.  So the original attempt fails and the
subsequent retry succeeds. 

We only have a handful of these in a given day... but I'm not sure of
our "xlate creation/teardown" rate.  Connection-wise we're doing close
to 1000 connections/second at peak. 

I saw some of these errors in earlier 8.4 code, but they seem to have
gotten worse with 8.4(7) [and/or our traffic has increased accordingly].

Anyone else? 

Jeff