- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2020 10:09 AM
I have these 2 dynamic statements for primary outside ISP and secondary as backupisp
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic interface
object network obj_any2
subnet 0.0.0.0 0.0.0.0
nat (any,backupisp) dynamic interface
Problem I am running into is my primary "outside" has an IPSLA and failing over to backupisp but then voip phones and other devices lose internet connection until I do a clear conn address and then devices moves back to outside PAT. Is there a source PAT timer I can set? Or does my dynamic source nat need to be more specific? Thanks
Solved! Go to Solution.
- Labels:
-
Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2020 10:21 AM
Hi,
You can tweak the timeout values, e.g:-
ASA-DC-1/pri/act(config-network-object)# show run | inc timeout
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Alternatively you could implement an EEM script on the ASA that tracks the primary route, when this fails over to the backup link then takes an action to clear the connections.
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2020 10:21 AM
Hi,
You can tweak the timeout values, e.g:-
ASA-DC-1/pri/act(config-network-object)# show run | inc timeout
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Alternatively you could implement an EEM script on the ASA that tracks the primary route, when this fails over to the backup link then takes an action to clear the connections.
HTH
