Not having fun with TAC, let me ask the real experts :) ASA-5585X running 8.4(7), recent upgrade in response to last month's security advisories against the 8.4 code we were running...
Now getting a number of the "%ASA-3-305006 regular translation creation failed" errors logged, typically for plain vanilla TCP connections. Checking the logs for the internal IPs being flagged, in every case I'm seeing the internal IP having no translation, and the 305006 is almost immediately followed by a "%ASA-6-305009: Built dynamic translation" for the address in question. We have plenty of IPs in our outside pool. We're not close to our xlate or connection table limits. This seems to just happen "out of the blue". For the failed 305006, it will list source-IP/source-port to external-IP/external-port that failed. This connection will never be established. The follow-up 305009 will create the translation, then there will be a normal connection logged from the same source-IP/different-source-port. So the original attempt fails and the subsequent retry succeeds. We only have a handful of these in a given day... but I'm not sure of our "xlate creation/teardown" rate. Connection-wise we're doing close to 1000 connections/second at peak. I saw some of these errors in earlier 8.4 code, but they seem to have gotten worse with 8.4(7) [and/or our traffic has increased accordingly]. Anyone else? Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/