FWIW we use a Cico PIX 525. I am running an ntp server and most of the other traffic is just from web servers and such:
# sh xlate count 146 in use, 257 most used # sh conn 3636 in use, 24222 most used So the PIX must handle xlate's properly but it's still being tracked somewhere as evident in the connection counts. I see no performance issues with this either. Although I'm in the US which has a lot more servers. Even with gigabit speed set I'm seeing maybe 30 packets/sec Koos van den Hout wrote: > We've had a few mentions how cheap home routers with nat state can fail > under pool ntp load, but this isn't limited to 'cheap'. > > Our network was migrated from a filtering router to a cisco fwsm (firewall > services module) which has several virtual firewalls. Our dmz, hosting > ntp.cs.uu.nl is in one context and I have limited rights to see stats for > that firewall context. > > After a while the entire university network became 'unstable'. Not all > connections would go through in very unpredictable ways. > > It took a while to find out the cause: the cisco fwsm keeps NAT state even > for connections which don't actually use NAT. This state is named 'xlates'. > The statistics for xlates showed absurdly high numbers in use, which > matches ntp traffic (1200 different IPs requesting service in one second > isn't a DOS attack, it's normal). And in our firewall setup, there is no > per-context limit on xlates, so our ntp traffic was influencing the entire > firewall. > > When I made the connection between the high number of xlates and ntp > traffic I downgraded our ntp pool server to a lower network speed. > > Reading the documentation showed that 'xlate-bypass' should do the trick: > not maintain xlate state for connections without NAT. > > So I requested this change. Forward several months of discussion about the > change and delays it was implemented today. I directly set our pool speed > back to the real speed (gigabit) and awaited the first flood of ntp > requests which just came by and was not visible in the xlate state > graph. > > So, if your ntp server is behind a cisco fwsm: 'xlate-bypass' will do the > trick. > > Koos > > > > ------------------------------------------------------------------------ > > _______________________________________________ > timekeepers mailing list > [email protected] > https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
signature.asc
Description: OpenPGP digital signature
_______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
