Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1156
Views
5
Helpful
1
Replies

Trouble with source nat with backup and primary ISP

Go to solution
iverson.justin
Level 1
Level 1

‎02-13-2020 10:09 AM

I have these 2 dynamic statements for primary outside ISP and secondary as backupisp

 

object network obj_any

subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic interface

 

object network obj_any2

subnet 0.0.0.0 0.0.0.0
nat (any,backupisp) dynamic interface

 

Problem I am running into is my primary "outside" has an IPSLA and failing over to backupisp but then voip phones and other devices lose internet connection until I do a clear conn address and then devices moves back to outside PAT.  Is there a source PAT timer I can set?  Or does my dynamic source nat need to be more specific?  Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-13-2020 10:21 AM

Hi,

You can tweak the timeout values, e.g:-

 

ASA-DC-1/pri/act(config-network-object)# show run | inc timeout
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

Alternatively you could implement an EEM script on the ASA that tracks the primary route, when this fails over to the backup link then takes an action to clear the connections.

 

HTH

View solution in original post

1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎02-13-2020 10:21 AM

Hi,

You can tweak the timeout values, e.g:-

 

ASA-DC-1/pri/act(config-network-object)# show run | inc timeout
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

Alternatively you could implement an EEM script on the ASA that tracks the primary route, when this fails over to the backup link then takes an action to clear the connections.

 

HTH

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card