Hello,
I have a Failover Active/Standby solution and I noticed problem with xlate.
Problem:
xlate increase all time
Description:
I have an issue with xlate not decrease automatically and I need to clear it before to arrive to max value
Product information:
Active Node:
LAB-ASA-01/pri/act# sh inventory
Name: “Chassis”, DESCR: “ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC”
Standby Node:
LAB-ASA-01/sec/stby# sh inventory
Name: “Chassis”, DESCR: “ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC”
Multi-session vs Per-session:
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
Have you an idea regarding this problem?
Regards,
Hmm does this apply to all NAT translated traffic or is there some pattern?
What ASA version are you using?
Hi Rene,
Thanks for your reply and happy New Year 
Yes this apply to all NAT translated traffic
Cisco Adaptive Security Appliance Software Version 9.5(1)4
Device Manager Version 7.5(1)90
Regards,
Nabil,
Hi Nabil,
Happy new year
I only recognize this behavior for connections that are idle, for example here’s one:
ASA# show xlate id 0x7f3a56394c40
151 in use, 499 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/55009 to OUTSIDE:1.2.3.4/55009 flags ri idle 28:28:02 timeout 0:00:30 refcnt 1 xlate id 0x7f3a56394c40
This entry is idle for > 28 hours while the timeout should be 30 seconds. The reason that it’s still here is because the TCP connection hasn’t been closed:
ASA# show conn port 55009
187 in use, 1607 most used
TCP OUTSIDE 5.6.7.8:15000 INSIDE 192.168.1.1:55009, idle 0:00:01, bytes 340167, flags UxIOX
Is this the same behavior you are talking about or it some other issue?
Rene
Hi Rene,
Yes I need to change one parameter to fix this issue but I don’t know which one !!!
Please find hereafter the show xlate:
<strong>LAB-CORP-ASA-01/pri/act# sh xlate</strong>
<strong>65229 in use, 66127 most used</strong>
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
LAB-CORP-ASA-01/pri/act#<strong> sh running-config | include timeout</strong>
access-list http-timeout extended permit tcp any any eq www
arp timeout 14400
<strong>timeout xlate 0:05:00</strong>
<strong>timeout pat-xlate 0:00:30</strong>
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
telnet timeout 5
ssh timeout 60
console timeout 0
dhcprelay timeout 60
set connection timeout idle 0:05:00
LAB-CORP-ASA-01/pri/act(config)# timeout xlate ?
configure mode commands/options:
<0:1:0> - <1193:0:0> Idle time after which a dynamic address will be
returned to the free pool, default is 3:00:00
<strong>LAB-CORP-ASA-01/pri/act(config)# timeout xlate 00:00:30</strong>
^
<strong>ERROR: % Time should be >= 0:1:0.</strong>
LAB-CORP-ASA-01/pri/act(config)# timeout xlate ?
<strong>configure mode commands/options:</strong>
<strong> <0:1:0> - <1193:0:0> Idle time after which a dynamic address will be</strong>
returned to the free pool, default is 3:00:00
LAB-CORP-ASA-01/pri/act(config)# timeout xlate 00:00:30
^
<strong>ERROR: % Time should be >= 0:1:0.</strong>
LAB-CORP-ASA-01/pri/act(config)# timeout xlate 00:01:00
<strong>ERROR: xlate timeout 0:01:00 cannot be less than the uauth timeout 0:05:00</strong>
LAB-CORP-ASA-01/pri/act(config)# timeout xlate 00:05:00
Regards,
Nabil,
Hi Nabil,
The problem is probably not your xlate timeout but your TCP connections that are still established, even though they are idle. The xlate timeout only starts counting when the TCP connection is gone.
I see you have set connection timeout configured but to what traffic does it get applied? Maybe some of your TCP connections are sitting idle and not being resetted by the ASA.
Rene
Hi Rene,
Thanks for your reply.
How I can test this? could you provide me some commands please ?
Regards,
Nabil,
Hi Nabil,
You can try what I did:
-
use show xlate id to find NAT translations that have been idle for some time.
-
use show conn port to find out which connection is preventing the NAT translation from timing out.
This should give you an idea which connections are idle.
Rene
Hi Rene,
Yes I have the same behavior as your example:
<strong>LAB-CORP-ASA-01/pri/act# sh xlate</strong>
65873 in use, 66127 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from INT_Outside:0.0.0.0/0 to INT_LAB_LEGACY:0.0.0.0/0
flags <strong>sIT idle 359:11:15</strong> timeout 0:00:00
NAT from INT_Outside:0.0.0.0/0 to INT_LAB_USER:0.0.0.0/0
flags <strong>sIT idle 17:46:06</strong> timeout 0:00:00
NAT from INT_Outside:0.0.0.0/0 to INT_PAR9_USER:0.0.0.0/0
flags sIT idle 0:00:07 timeout 0:00:00
NAT from INT_Outside:0.0.0.0/0 to INT_WIFI_OFFICE:0.0.0.0/0
flags <strong>sIT idle 283:34:28</strong> timeout 0:00:00
NAT from INT_Outside:0.0.0.0/0 to INT_LAB_DMZ_FTP:0.0.0.0/0
flags sIT idle 1002:46:47 timeout 0:00:00
NAT from INT_Outside:0.0.0.0/0 to INT_DEV_ALL:0.0.0.0/0
flags <strong>sIT idle 352:20:44</strong> timeout 0:00:00
NAT from any:10.248.180.30 to INT_Outside:84.14.146.19
flags <strong>sN idle 0:22:00</strong> timeout 0:00:00
NAT from INT_LAB_DMZ_FTP:192.168.40.10 to INT_Outside:84.14.146.9
flags sN idle 0:01:54 timeout 0:00:00
<strong>PAR7-CORP-ASA-01/pri/act# sh conn port 64672</strong>
46119 in use, 250004 most used
TCP INT_Outside 200.200.200.200:443 INT_LAB_USER 10.10.10.60:64672, idle 0:12:59, bytes 6190, flags xb
TCP INT_Outside 205.205.205.206:443 INT_LAB_USER 10.10.10.8:64672, idle 0:48:03, bytes 5082, flags xb
Please see the attach file.
Regards,
Nabil,
TCP PAT from INT_LAB_USER:10.10.10.8/64861 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64861 flags ri idle 0:13:11 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64859 to INT_Outside:ASA_Outside_Interface_200.200.200.200/4392 flags ri idle 0:13:11 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64856 to INT_Outside:ASA_Outside_Interface_200.200.200.200/39835 flags ri idle 0:13:20 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64854 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64854 flags ri idle 0:13:50 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64850 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64850 flags ri idle 0:20:55 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64848 to INT_Outside:ASA_Outside_Interface_200.200.200.200/24550 flags ri idle 0:21:53 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64827 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64827 flags ri idle 0:32:29 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64825 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64825 flags ri idle 0:33:05 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64823 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64823 flags ri idle 0:33:05 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64819 to INT_Outside:ASA_Outside_Interface_200.200.200.200/18354 flags ri idle 0:33:09 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64778 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64778 flags ri idle 0:34:22 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64764 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64764 flags ri idle 0:35:05 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64762 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64762 flags ri idle 0:35:08 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64730 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64730 flags ri idle 0:36:48 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64698 to INT_Outside:ASA_Outside_Interface_200.200.200.200/4586 flags ri idle 0:42:16 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64696 to INT_Outside:ASA_Outside_Interface_200.200.200.200/46165 flags ri idle 0:43:02 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64694 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64694 flags ri idle 0:43:05 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64692 to INT_Outside:ASA_Outside_Interface_200.200.200.200/18826 flags ri idle 0:43:05 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64691 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64691 flags ri idle 0:43:05 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64688 to INT_Outside:ASA_Outside_Interface_200.200.200.200/14071 flags ri idle 0:43:21 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64686 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64686 flags ri idle 0:43:21 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64685 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64685 flags ri idle 0:43:21 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64682 to INT_Outside:ASA_Outside_Interface_200.200.200.200/31322 flags ri idle 0:43:22 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64680 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64680 flags ri idle 0:43:22 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64679 to INT_Outside:ASA_Outside_Interface_200.200.200.200/37537 flags ri idle 0:43:22 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64676 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64676 flags ri idle 0:43:26 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64674 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64674 flags ri idle 0:43:26 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64672 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64672 flags ri idle 0:43:32 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64670 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64670 flags ri idle 0:43:32 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64668 to INT_Outside:ASA_Outside_Interface_200.200.200.200/2911 flags ri idle 0:43:32 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64667 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64667 flags ri idle 0:43:32 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64664 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64664 flags ri idle 0:43:32 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64662 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64662 flags ri idle 0:43:33 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64660 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64660 flags ri idle 0:43:33 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64658 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64658 flags ri idle 0:43:37 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64654 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64654 flags ri idle 0:43:37 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64651 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64920 flags ri idle 0:45:06 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64648 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64648 flags ri idle 0:50:05 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64646 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64646 flags ri idle 0:50:05 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64643 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64643 flags ri idle 0:51:13 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64641 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64641 flags ri idle 0:52:58 timeout 0:00:30
TCP PAT from INT_LAB_USER:10.10.10.8/64626 to INT_Outside:ASA_Outside_Interface_200.200.200.200/64626 flags ri idle 1:00:09 timeout 0:00:30
Hi Nabil,
I think you should try messing with the connection timeout for TCP, for example this entry:
TCP INT_Outside 205.205.205.206:443 INT_LAB_USER 10.10.10.8:64672, idle 0:48:03, bytes 5082, flags xb
It’s been idle for 48 minutes. The default TCP connection timeout is 1 hour:
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
You can also use it in a class-map so that you can only apply it to certain traffic, perhaps for destination port 443 (and 80) in your case:
policy-map WEB_TRAFFIC
class HTTPS_TRAFFIC
set connection timeout idle 0:15:00
This would set it to 15 minutes. I would check what kind of TCP connections are sitting idle for a long time and reduce the timeout for those. That should solve the issue.
Rene
Hi Rene,
I found this explanation is not bad 
I make this configuration in orde to close all http sessions after 05min in case no traffics but the problem persist:
<strong>class-map http-traffic</strong>
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
<strong>class http-traffi</strong>c
set connection timeout idle 0:05:00
Regards,
Nabil
Hi Nabil,
This does look good, what do you match in your access-list?
Rene
Hi Rene,
I mach the http traffic in the first time.
<strong>class-map http-traffic</strong>
match inspect http http-map
<strong>policy-map global_policy</strong>
class http-traffic
set connection timeout idle 0:05:00
Regards,
Nabil,
Hi Nabil,
Do you still see idle HTTP traffic TCP connections older than 5 minutes? In the previous example you had a HTTPS connection.
Rene
Hi Rene,
It is working fine for http now.
I need to do this for all applications : https, ftp…
ASA cannot manage this automatically close the connection in case no traffic on it as on Checkpoint firewall ?
Many thanks for your help,
Regards,
Nabil,
Hi Nabil,
Good to hear this helps.
The ASA does but the default is 1 hour:
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
So for some connections (like your HTTP/HTTPS traffic) it might be a good idea to reduce this.
Rene
Hi Rene,
Many thanks for your help.
Regrads,
Nabil,