John, That's not so bad. I have been aware of that fact for quite some time, but still continue to forget to issue a clear xlate about half the time. So which is worse, ignorance or stupidity?
Robert ""John Neiberger"" wrote in message news:[EMAIL PROTECTED] > I thought I'd share an embarrassing moment from yesterday in hopes that > others will learn from my mistake. > > I have a router on the outside of a firewall that needed to be upgraded > after the advisory yesterday. In order to reach the TFTP server I needed to > add a static translation in the PIX. No problem. I should also mention that > this server is one of our internal DNS servers. > > The file transfer doesn't take long at all and I remove the conduit and > static translation from the PIX as soon as I'm done. As far as I'm concerned > this is the end of it. I was wrong. > > We later start receiving reports that certain web pages have become > inaccessible, while others are still responding. My first thought is that > I've hosed something with the IOS upgrade, but after checking things out I > was satisfied that everything there was working properly. So, I check the > firewall logs which leads me to check the xlate table. Lo and behold, the > static translation that I'd previously added--and removed--is still there! > [I hear knowing laughter already.] It's in the table but somehow traffic is > being hosed. Our DNS server is sending queries to our external server and > replies are coming back, but something is wrong and communications continue > to fail. I clear the xlate table and all is immediately fixed. This caused a > fair amount of irritation with me but my boss was even more irritated. > > I presumed this was a 'feature' or a bug because it was my _assumption_ that > the removal of the static translation from the config would also clear it > from the xlate table. Wrong! I looked up the command on CCO and there is > this little tidbit: > > "Usage Guidelines > > The clear xlate command clears the contents of the translation slots. > ("xlate" means translation slot.) The show xlate command displays the > contents of only the translation slots. > > Translation slots can persist after key changes have been made. Always use > the clear xlate command after adding, changing, or removing the aaa-server, > access-list, alias, conduit, global, nat, route, or static commands in your > configuration." > > So, there are two morals to this story. First, don't get into the habit of > making assumptions about commands that you think you're familiar with, > because there may be unforeseen consequences. Second, don't get into the > habit of making changes to critical production equipment even when you think > those changes are insignificant. > > Of course, I'll continue to make what I think are insignificant changes but > I'm going to be a lot more careful in the future. > > Let that be a lesson to you, > John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72579&t=72573 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]