If "clear local" fixes it - then most probably there's another xlate that
stands in the way, should not be related to arp.
Watch out for the identity statics that are supersets of this host static,
i.e. something like this is not good:
static (inside,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255
static (inside,outside) 2.2.2.0 2.2.2.0 netmask 255.255.255.0
if your first packet on the outside is destined to the 1.1.1.1 - all good.
But if your first packet is destined to 2.2.2.2 - then the first static
won't match, and it will create the xlate based on the second one.
if you have such a config, blocking the destination of 2.2.2.2 by the
inbound ACL on the outside should help (and as well identify who sends
such a packet).
in any case, "show local x.x.x.x" along with "show xlate debug
local x.x.x.x" should shed some more light on this.
thanks,
andrew
On Mon, 20 Oct 2008, Christian Koch wrote:
i checked this when it happened the first time but i forgot what the
ouput was...thanks for the suggestion, i'll have to check it again
next time it pops up
christian
On Mon, Oct 20, 2008 at 10:58 AM, Ozgur Guler <[EMAIL PROTECTED]> wrote:
Do you see the correct arp for the translation when it stops working?
You might need to define a static arp with alias to fix it.
--- On Mon, 20/10/08, Christian Koch <[EMAIL PROTECTED]> wrote:
From: Christian Koch <[EMAIL PROTECTED]>
Subject: [c-nsp] FWSM Static NAT gets stuck..
To: "Cisco-nsp" <cisco-nsp@puck.nether.net>
Date: Monday, 20 October, 2008, 3:38 PM
Hello All -
Seeing an issue on FWSM running 3.2(4) code..
Where a static nat gets stuck, and the host becomes unreachable via
both ingress/egress
If i issue a clear xlate local x.x.x.x, this clears things up and
connectivity is restored
there are currently 2 hosts on the same network, yet
this problem only
occurs with one of them
static (DMZ,OUTSIDE) 1.1.1.24 2.2.2.24 netmask 255.255.255.255
static (DMZ,OUTSIDE) 1.1.1.25 2.2.2.25 netmask 255.255.255.255
.24 is the one that becomes stuck, .25 is fine and never has a problem..
any ideas/possible bugs?
thanks
christian
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Send instant messages to your online friends http://uk.messenger.yahoo.com
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
