ASA Xlate limits

I have an ASA 5520 in a school environment. I currently only have 1 public IP NATing for about 3000 students. I was wondering if there were any limits per public IP as far as translations go.
Thanks in advance!
Mark

Mark,
I have not found anything about the XLATES, but the following gives you the basics about how many connections for all the ASA5500 series devices and what their basic capabilites are.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Thanks and do rate helpful posts.
Kimberly

Similar Messages

Cisco ASA xlate limit resource

Hi!
I have the problem with resource limitation on Cisco ASA.
I want to set the limit for xlates as a percentage, not as an absolute value. But I can't do it.
As I can see the output of command syntax, then this feature should be maintained:
ASA(config-class)# limit-resource xlates ?
class mode commands/options:
WORD Value of resource limit (in <value> or <value>%)
But I'm getting error when try to set value in %:
ASA(config-class)# limit-resource xlates 50%
ERROR: Capacity unknown for this resource type
ASA(config-class)# limit-resource xlates 50.00%
ERROR: Capacity unknown for this resource type
Is it possible to limit xlates as a percentage?
What should I do to set this value as limit of default xlate?
Thanks in advance

Hi Igor,
The percentage can only be used for resources which have a hardcoded system limit. For resources that do not have a system limit, you cannot set the percentage (%); you can only set an absolute value.
The xlates can be created upon how much memory you have, you might be able to see the option for it, but it is only for resources, which have a definite number.
Thanks,
Varun

ASA Max Limits

In the ASA Data Sheet there is a Max Virtual Interfaces part in the table, for a 5525-X for example this is 200, is this restriction of 200 still the case when I have 2 firewalls in Active/Active?
Also if I have a ASA in transparent mode is there a max limit on the amount of Bridge Groups and BVI's I can create?
Thanks,
Dan
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701808.htmlVLAN

Mark,
I have not found anything about the XLATES, but the following gives you the basics about how many connections for all the ASA5500 series devices and what their basic capabilites are.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
Thanks and do rate helpful posts.
Kimberly

FWSM can not show sessions in xlate between two specific vlans

Dear Experts ,
I have FWSM running version 3.2(23) , configured with interface vlans , all having the same security level , except outside interface vlan which has security level 0 , also same-security-traffic permit inter-interface and same-security-traffic permit intra-interface are configured, my problem is when establishing sessions (I tried TCP only using ssh and telnet , in addition of ping ) from one specific vlan (172.16.1.0/28) to other vlan (172.16.1.16/28) , I can not see the established sessions in "show xlate debug" output ! although I can see these sessions from capture ! the two subnets are separate , two different /28.
I can see the session established from the remaining interface vlans with same security level toward 172.16.1.16/28 , my question is what is the exception with vlan having this subnet172.16.1.0/28, how it can reach other vlan with subnnet 172.16.1.16/28 without showing anything in xlate table ? do you thing it is bug ? please advise
Regards

Red1,
Need to make sure the packets are arriving on the correct interface. Need to grab captures and the debug level syslogs at the same time. Hope you are not running into the xlate limitation of the module.
Pls. check the limitation link here:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/specs_f.html#wp1056716
-Kureli
https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts
Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules
Register today: http://tools.cisco.com/squish/42F25

Does packet input ever report the wrong thing?

Hello All.
Consider these bits of configuration from my ASA:
ASA Version 9.1(3)
hostname wnsk-asa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
object network callhost-inside
host 10.3.2.25
object network callhost-outside
host 209.198.173.58
object-group network EQUINOX
network-object host 175.146.14.236
network-object 175.77.48.96 255.255.255.224
network-object 209.198.187.0 255.255.255.0
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq 3389
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq 5900
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq ftp
access-list awcc_vpn extended permit ip host 10.3.2.25 host 172.31.250.150
nat (server-lan,itrunk) source static callhost-inside callhost-inside destination static awcc awcc no-proxy-arp route-lookup
object network wnsk
nat (server-lan,itrunk) dynamic WNSK-POOL
object network callhost-inside
nat (server-lan,itrunk) static callhost-outside
object network vpnpool
nat (itrunk,itrunk) dynamic WNSK-POOL
access-group inbound12 in interface itrunk
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
: end
When I check my setup with packet input, I get this:
wnsk-asa# packet input itrunk tcp 209.198.187.78 22222 10.3.2.25 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.3.2.0 255.255.255.0 server-lan
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound12 in interface itrunk
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq 3389
object-group network EQUINOX
network-object host 175.146.14.236
network-object 175.77.48.96 255.255.255.224
network-object 209.198.187.0 255.255.255.0
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network callhost-inside
nat (server-lan,itrunk) static callhost-outside
Additional Information:
Result:
input-interface: itrunk
input-status: up
input-line-status: up
output-interface: server-lan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
When I actually get on the host at 209.198.187.78 and attempt to connect to port 3389 of 209.198.173.58, it works. Packet input says it will not work. What am I getting wrong, or is the ASA tricking me?
ERM

In your packet-tracer string you direct the ASA to tell you about reachability of "10.3.2.25 3389". In your text you mention being able to get to "port 3389 of 209.198.173.58".
Which of those two are you trying to figure out?

Understanding teardown from log

Is the Reset-I always from the device on the higher security level interface (in this case 172.16.112.10/3389?
In the second case, what conclusions can be drawn from the teardown information "TCP FINs" - who is it that send the first FIN?
I'm strugglig to find the reasons for connections "freezing" or closing, but no errors that I can relate to the connection ids what so ever.
asa.log:2014-02-03T15:04:32.186954+01:00 10.1.4.1 %ASA-6-302013: Built inbound TCP connection 1730891653 for wan:195.195.195.195/49624 (195.195.195.195/49624) to vlan547:172.16.112.10/3389 (212.112.9.209/3389)
asa.log:2014-02-03T17:21:36.585964+01:00 10.1.4.1 %ASA-6-302014: Teardown TCP connection 1730891653 for wan:195.195.195.195/49624 to
vlan547:172.16.112.10/3389 duration 2:17:05 bytes 35781464 TCP Reset-I
asa.log:2014-02-03T13:14:51.660321+01:00 10.1.4.1 %ASA-6-302013: Built inbound TCP connection 1729135626 for wan:195.195.195.195/50005 (195.195.195.195/50005) to vlan547:172.16.112.10/3389 (212.112.9.209/3389)
asa.log:2014-02-03T18:05:02.785968+01:00 10.1.4.1 %ASA-6-302014: Teardown TCP connection 1729135626 for wan:195.195.195.195/50005 to vlan547:172.16.112.10/3389 duration 4:50:14 bytes 36231472 TCP FINs

Hi,
The TCP Reset-I and TCP Reset-O should refer to the TCP RST coming from either higher or lower "security-level" interface.
There are some other things affected by the "security-level" also in the output of the ASA. For example when you check the output of "show conn" command the host on the lowest "security-level" interface is listed first. Same goes for log messages. The host on the lowest "security-level" interface is mentioned first in the log messages for Building and Teardown the connection.
To my understanding there is no way to determine the side which normally closed the connection from the log message itself. I would presume that the Client would usually do this but can't be 100% sure that its always like this.
If there is not a clear indication that the firewall is doing something to the connection then I would suggest capturing traffic to find out what is happening to the connection. You can either attach some host to the network to capture all the traffic from some port or perhaps capture traffic on the ASA itself.
You could for example configure a capture for your RDP connection like this
access-list RDP-CAP permit tcp host host
access-list RDP-CAP permit tcp host host
capture RDP-CAP type raw-data access-list RDP-CAP interface outside buffer 33500000 circular-buffer
If you are expecting a lot of data you will either have to do the capture on some other device (ASAs buffer limited to approx the above amount of Bytes) or you can either create a capture for each direction separately to maximize the amount of traffic that can be captured.
You could also leave out the Data in the actual packets and only capture the headers by using this command
capture RDP-CAP type raw-data access-list RDP-CAP interface outside buffer 33500000 circular-buffer headers-only
You can naturally use both of the above commands. Naturally you will have to use a different name for the "capture", I am not sure do you have to use a different ACL.
You can then use this command to check if there is traffic captured
show capture
If you wish to show capture contents on the CLI then you can use this command
show capture RDR-CAP
Then again you might want to load the capture to your host/server and open it with Wireshark then you could use this command
copy /pcap capture:RDP-CAP tftp://x.x.x.x/RDP-CAP.pcap
You can remove the capture with the command
no capture RDP-CAP
You will have to remove the capture ACL separately.
I am not sure how much information can be gotten from the RDP server itself. I dont have to deal with the IT side at all usually so I don't really know to what extent you would be able to log what the actual server does during those connection issues. A traffic capture would certainly tell what happens to the data/connection.
Hope this helps
- Jouni

Sticky resource not available - ACE Module

hi,
I am getting the below error on defining stickiness. Please assist.
switch/Admin(config)# sticky ip-netmask 255.255.255.255 address both ACE-CKH-STICKY
Error: sticky resource not available
Thanks.

Note The syslog message statistics do not include the syslogs generated from the dataplane when you enable the logging of connection setup and teardown syslog messages through the logging fastpath command.
â¢regexp-Limits the amount of regular expression memory.
â¢sticky-Limits the number of entries in the sticky table. You must configure a minimum value for sticky to allocate resources for sticky entries, because the sticky software receives no resources under the unlimited setting.
â¢xlates-Limits the number of network and port address translations entries.
â¢minimum number-Specifies the lowest acceptable value. Enter an integer from 0.00 to 100.00 percent (two-decimal places of granularity). The number argument specifies a percentage value for all contexts that are members of the class. When used with the rate keyword, the number argument specifies a value per second.
â¢maximum {equal-to-min | unlimited}-Specifies the maximum resource value: either the same as the minimum value or no limit.
Note The limit that you set for individual resources when you use the limit-resource command overrides the limit that you set for all resources when you use the limit-resource all command.
If you lower the limits for one context (context A) in order to increase the limits of another context (context B), you may experience a delay in the configuration change because the ACE will not lower the limits of context A until the resources are no longer being used by the context.
For example, to allocate 20 percent of all resources (minimum and maximum) to all member contexts of the resource class, enter:
(config-resource)# limit-resource all minimum 20% maximum equal-to-min
System Resource Maximum Values
Resource Maximum Value
Application Acceleration Connections
10000 connections
ACL Memory
34123184 bytes
Buffer Memory (Syslog)
1048576 bytes
Concurrent Connections
1,000,000 connections (Layer 4),
100,000 connections (SSL)
HTTP Compression
100 megabits per second (Mbps). You can upgrade the ACE maximum HTTP compression rate to 1 Gbps by purchasing a separate license from Cisco Systems. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
Management Connections
5000 connections
Proxy Connections (Layer 7)
256,000 connections
Rate
Bandwidth
1 gigabits per second (Gbps). You can upgrade the ACE maximum bandwidth to 2 Gbps by purchasing a separate license from Cisco Systems. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
Connections (any kind)
120,000 connections per second (Layer 4), 40, 000 connections per second (Layer 7)
MAC miss
2000 packets per second
Management traffic
125,000,000 bits per second
SSL connections
1000 transactions per second (TPS). You can upgrade the SSL bandwidth to a maximum of 7500 TPS with a separate license. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
syslog
For traffic going to the ACE (control plane), 3000 messages per second
For traffic going through the ACE (data plane), 120,000 messages per second
Regular Expression Memory
1,048,576 bytes
Sticky Entries
800,000 table entries
Xlates (network and port address translation entries)
64,000 Xlates (network entries),
1,000,000 Xlates (port address translation entries)
Kind Regards,
Sachin Garg
Senior Specialist Security
HCL Comnet Ltd.
http://www.hclcomnet.co.in
A-10, Sector 3, Noida- 201301
INDIA
Mob: +91-9911757733
Email: [email protected]

Reporting failed logins

How can I report on failed login attempts through our ASA 5515's using AnyConnect?

Michael,
In practical terms, ASA has limited capabilities to store this kind of information.
The best way to check this is on the AAA server you're using or by filtering syslogs.
ASA itself will store counters of how many authentications took place, how many succeeded etc. on a per-server basis.
Even the local server will store some info.
Example:
ASA# show aaa-serverServer Group: LOCALServer Protocol: Local databaseServer Address: NoneServer port: NoneServer status: ACTIVE, Last transaction at 14:07:19 UTC Thu Oct 3 2013Number of pending requests 0Average round trip time 0msNumber of authentication requests 16888Number of authorization requests 0Number of accounting requests 0Number of retransmissions 0Number of accepts 13Number of rejects 16875Number of challenges 0Number of malformed responses 0Number of bad authenticators 0Number of timeouts 0Number of unrecognized responses 0
Best place to get details are your syslogs and AAA server reports.
Syslog messages:
http://www.cisco.com/en/US/docs/security/asa/syslog-guide/logmsgs.html
M.

AnyConnect 3.1.04072 Allow Remote Users

I can't find Windows VPN Establishment with "Allow Remote Users" in Profile editor. Is it deprecated?

Yeap it was limitation of standalone one.
I upgraded ASDM and created profile with it
webvpn svc profiles AnyConnect_profile_allow_RU disk0:/anyconnect_profile_allow_ru.xmlgroup-policy anyconnect attributes webvpn svc profiles value AnyConnect_profile_allow_RUmore disk0:/anyconnect_profile_allow_ru.xml AllowRemoteUsers
But wasn't able to connect to VPN with RDP connection.
I have ASA Version 8.2(1), but there is no record about ASA version limitation.
AnyConnect version is anyconnect-win-3.1.04072-k9.pkg

Multiple SNMP strings on Pix-501

Does the pix-501 support multiple SNMP communities? Im trying to add a second one, but the original community string gets removed when I add the new one. If we can have multiple SNMP hosts, then I woud imagine you could have multiple strings. I thought it was like most switches and routers, which can have the following:
snmp-server community STRING1
snmp-server community STRING2
The Pix-501 is currently running on version 6.3(5).

Hi Bro
You can’t possible compare Cisco IOS Routers and Switches with Cisco Firewalls. They are both different types of product, with totally different behaviors and purposes.
This is a Cisco FWSM/PIX/ASA Firewall limitation. You can only define one snmp community string, and that too has to be RO, and NOT RW. Perhaps, this Cisco URL link may shed some light on your query http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20031215-pix
There’s a reason to why Cisco Firewalls don’t support RW. RW is used generally, by network management tools such as Cisco Security Manager, Cisco MARS, CiscoWorks etc. to push configurations, IOS etc. to Cisco products in large masses. In fact, RW can also be used as a mitigation approach. Cisco Firewalls being a defensive product by nature, will not allow this to occur. There could be a possibility of un-stealth-ing the product. Hence, only RO is available. Mitigation approach in Cisco Firewalls can always be done through telnet/ssh, if needed.
Note: Perhaps, it doesn't make sense to use a vulnerable/non-secure protocol such as SNMP to manage a security appliance, unless SNMP v3 is introduced.
P/S: If you think this comment is useful, please do rate them nicely :-) and select the option "THIS QUESTION IS ANSWERED"

ASA 5520 - LU allocate xlate failed - Failover unit reloads

We just had an issue with our failover unit reloading. In perusing the logs there were a number of %ASA-3-210007: LU allocate xlate failed, errors prior to the reload. These units had just had their OS upgraded to fix a DOS issue a few weeks ago. I have not seen the error since it reloaded. However, I was asked to report the issue just in case it is a bug in the new version of the OS.Two units in failover.
Cisco Adaptive Security Appliance Software Version 8.0(5)9
Device Manager Version 6.0(2)
Compiled on Mon 01-Feb-10 10:36 by builders
System image file is "disk0:/asa805-9-k8.bin"
Config file at boot was "startup-config"
CP-ASA up 17 days 21 hours
failover cluster up 17 days 22 hours
Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0025.45d7.6e62, irq 9
1: Ext: GigabitEthernet0/1 : address is 0025.45d7.6e63, irq 9
2: Ext: GigabitEthernet0/2 : address is 0025.45d7.6e64, irq 9
3: Ext: GigabitEthernet0/3 : address is 0025.45d7.6e65, irq 9
4: Ext: Management0/0       : address is 0025.45d7.6e66, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2
This platform has an ASA 5520 VPN Plus license.
I noted a report on errors with verison 7 and a conflict between nat(0) and static commands. I don't show nat(0) being used on these units.
nat (public) 0 access-list NO_NAT
nat (public) 1 10.190.16.64 255.255.255.192
nat (public) 1 172.16.22.0 255.255.255.0
nat (dmz) 0 access-list NO_NAT
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (csacelb) 0 access-list NO_NAT
nat (csacelb) 1 0.0.0.0 0.0.0.0
nat (app) 0 access-list NO_NAT
nat (app) 1 0.0.0.0 0.0.0.0
nat (db) 0 access-list NO_NAT
nat (db) 1 0.0.0.0 0.0.0.0
nat (internal) 0 access-list NO_NAT
nat (internal) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list NO_NAT
nat (management) 1 0.0.0.0 0.0.0.0
no crypto isakmp nat-traversal
static (app,dmz) 10.190.15.0 10.190.15.0 netmask 255.255.255.192
static (csacelb,public) 999.999.999.999 10.190.14.70 netmask 255.255.255.255 (The external address was replaced with 999.999.999.999 intentionally for this forum)
static (db,app) 10.190.16.0 10.190.16.0 netmask 255.255.255.192

Do you have any solution ? we have the same problem.
Thanks .

ASA %ASA-3-210007: LU allocate xlate failed

I have a client that keeps receiving the following syslog error:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
ASA %ASA-3-210007: LU allocate xlate failed
It has been identified in bug report:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
CSCsi65122 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsi65122)
This bug report states the following:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Overlapping static with NAT exemption causes xlate errors on standby
Symptom:
"%ASA-3-210007: LU allocate xlate failed" appearing on standby unit
Conditions:
- Stateful failover enabled.
- Overlap between a static NAT rule and the NAT exemption.
-the "alias" command is used to rewrite destination ip address
Workaround:
in the nat exemption access-list deny specifically the traffic matching the source of the traffic with destination the alias'd ip address.
I looked at this bug report and it says the error was first found in 7.0/7.2. However, the client is running 8.4(1) on the ASA's. When this problem initially came to light, my co-worker found this bug report:
CSCth74844
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth74844&from=summary
This made sense since at the time they were running 8.32 and upgrading to a newer code seemed to be how to fix it according to this article:
http://www.techbloc.net/archives/31
However, even after the upgrade to 8.4(1), the problem still exists. Do we need to roll them back to the unreleased code that the above article mentions? Or should this problem have been fixed in the 8.4(1) release?
TIA for any ideas/suggestions. A call to TAC may be in order for this problem, especially since the workaround doesn't seem to be the best solution.

Deyster,
To troubleshoot this issue, we first need to verify whether thios error message is cosmetic or are we really hitting into any known issue, to identify it, we need to fisrt verify whether the xlate tables on both the firewalls is approximate;y same or not.(you can do this by using show xlate commandf on the firewalls). If it is same and still we are getting these messages, then it is a cvosmetic issue(which does not affect the traffic).
This particukar message appears if the xlate tables are not correctly replicated between the active and standby unit in failover.
I would request you to provide the below debugs:
debug nat 5
debug fover fail
This would further help is in identifying the issue.
Hope this helps.
Thanks,
Varun

How to get XLate out of ASA with SNMP

Hi All,
We recently replaced out trusty old 3660 NAT router with a pair of ASA5520's. Our service desk used to be able to pull the NAT translations out of the router using SNMP. (CISCO-IETF-NAT-MIB:ciscoIetfNatMIB)
We would like to do that same on the ASA, which obviously means we need to pull out the xlate. I have so far been unable to figure out how to do this, can anyone help?
We are running Version 8.0(2)
Many Thanks,
Nick

Hmmm, this was going to be my fall-back option, but I'm not looking forward to this as I'll have to figure out some way of having the syslogs go into an SQL database so that I've got a real-time translation table that I can query.
Is anyone aware of whether getting the Xlates out of a PIX/ASA using SNMP is possible?

Xlate count via SNMP on a ASA

Hi
Does anyone know of af OID to get the count of active xlate´s per PAT IP address?
I have a firewall that is performing PAT on several IPs that is defined via object. I need to find a way to get the ammount of xlates on a "per public IP" level.
I know that i can get the "show conn" via SNMP but this is all the connections globally to the ASA and not on a per-PAT bases.
So far the only way i have managed to get something out of the ASA is to do a "show xlate | inc [PUBLIC-IP]" and then count the lines.

Those don't seem to be supported in ASA 9.x... not in "show snmp-server oidlist".
natAddrMapAddrUsed might be what you're looking for... but, if you have multiple sources NATed to the same destination, finding the appropriate entry in that table will take some doing.

ASA 500 BW Limitation

Hi all,
I am new to the ASA product line and Firewalls in general. I have a question regarding the bandwidth limitation on the ASA 500 appliance. I read somewhere that it only allows up to 25 users! Can someone please clarify?
Thanks,
sK

Hello,
you could try and limit the bandwidth per VLAN in a class-based configuration, here is an example:
access-list 1 permit 192.168.1.0
class-map VLAN_100
match access-group 1
policy-map VLAN_BANDWIDTH
class VLAN_100
police 10000000 4000000 exceed-action drop
interface GigabitEthernet0/1
service-policy input VLAN_BANDWIDTH
In this example, the VLAN for which you want to limit bandwidth has the IP address space 192.168.1.0/24. Bandwidth is policed to a maximum of 10MB, with a 4MB burst rate...
Can you try and see if this works for you ?
Regards,
GP

ASA Xlate limits

Similar Messages

Maybe you are looking for