Skip to main content
Kilravock
Kilravock
New Member
July 1, 2015
Question

Cisco ASA connections and xlates doubled

  • July 1, 2015
  • 2 replies
  • 4046 views

We have recently introduced a Fortigate 1000C (v5.0,build3608 (GA Patch 7)) to do web filtering (not running any other services on this box), running in Transparent mode.  It now sits inline between our network and our perimeter firewall, a Cisco ASA 5540 (8.2(5)).  

As soon as the Fortigate was introduced, the xlate & connection counts on the ASA effectively doubled (which meant we ran out of xlate slots and had to add a second PAT address - this is a big network) We took the Fortigates off line and xlates & conns went back to previous levels, put it back and they doubled again.  Looks to me as if either the Fortigates are somehow creating 2 connections & translation slots for every web connection or not freeing up connections when they are idle or closed.  Anyone come across this or have any suggestions as to how to resolve?

2 replies

emnoc
emnoc
New Member
July 1, 2015

The diag debug flow is your best friend, I would run it on the fortigate. If this truly  transparent , then it should be just that "transparent", sounds like your L2 insertion is not correct or your running traffic in/out over the same wire 2x.

 

When you run the show conn on the ASA do you see duplicate sessions? same for xlate ? Maybe the traffic is seeing a session twice due to traffic running the same wire. Does these session matches the diag sys session on the  fortigate ?

 

Also you say webfilter, can you explain or show what policy you have in place?

 

And lastly, if you remove this policy and replace with an ANY>ANY, what happens within the ASA conn/xlate  tables?

 

Sartuche24
Sartuche24
New Member
July 17, 2015

Did you ever get this resolved, or find out why your connections doubled. Now I know when I setup a FortiGate and had it in transparent mode, I placed the management IP on a different network from the  network that it was sitting in-line with and this caused a huge problem as it started to cause a lot of MAC Flapping issues. You need to ensure that the IP you have on it resides within the same network as you firewall, so I'm thinking this may be a possibility of why you are seeing a huge increase of connections/xlates.

Terms & ConditionsAccessibility statement