Cisco Community
English
Register
ANNOUNCEMENT - Email and Web Notifications will be off until 2/21/2020 while Security Community is being Re-Structured - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
82
Views
0
Helpful
1
Replies
iverson.justin
iverson.justin Beginner
Beginner
‎02-13-2020 10:09 AM
‎02-13-2020 10:09 AM

Trouble with source nat with backup and primary ISP

I have these 2 dynamic statements for primary outside ISP and secondary as backupisp

 

object network obj_any

subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic interface

 

object network obj_any2

subnet 0.0.0.0 0.0.0.0
nat (any,backupisp) dynamic interface

 

Problem I am running into is my primary "outside" has an IPSLA and failing over to backupisp but then voip phones and other devices lose internet connection until I do a clear conn address and then devices moves back to outside PAT.  Is there a source PAT timer I can set?  Or does my dynamic source nat need to be more specific?  Thanks

Labels:
0 Helpful
Reply
1 REPLY 1
Highlighted
RJI
RJI Advisor
Advisor
‎02-13-2020 10:21 AM
‎02-13-2020 10:21 AM

Re: Trouble with source nat with backup and primary ISP

Hi,

You can tweak the timeout values, e.g:-

 

ASA-DC-1/pri/act(config-network-object)# show run | inc timeout
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

Alternatively you could implement an EEM script on the ASA that tracks the primary route, when this fails over to the backup link then takes an action to clear the connections.

 

HTH

0 Helpful
Reply
Latest Contents
Ask Me Anything event- How to optimize your Cisco Security i...
Created by ciscomoderator on 02-18-2020 11:25 AM
0
0
0
0
To   participate   in this event, please use the   button   to ask your questions This topic is a chance to clarify your questions about Cisco Threat Response, from its components and new features to ... view more
CoPP with ACL
Created by WiKiD on 02-18-2020 08:53 AM
0
0
0
0
Hello everyone, 1)I already got a ACL for ssh applied to vty lines.ip access-list standard vty-accesspermit xx.xx.xx.xx logline vty 0 4access-class vty-accesstransport input ssh 2)  ACL to use with CoPP access-list 101 permit tcp xx.xx.xx.x... view more
Community Live slides- How to optimize your Cisco Security i...
Created by ciscomoderator on 02-17-2020 06:48 PM
0
0
0
0
Community Live Slides- How to optimize your Cisco Security investments with Threat Response (Live event - formerly known as Webcast-  Tuesday February 18, 2020 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This event had place on Tuesday 18th, Februa... view more
Couldn't get an IP address and HTTPS redirection to ISE port...
Created by damode on 02-17-2020 03:52 PM
1
0
1
0
Two main issues I am facing as part of ISE guest access POC lab.On any device on first attempt connections works smooth. However, if I disconnect and reconnect the SSID, its repeatedly giving "Couldn't get an IP address" or "No internet connection" on con... view more
Enhancing Windows LDAP Security by Enabling LDAP Channel Bin...
Created by Omar Santos on 02-12-2020 01:57 PM
1
0
1
0
Microsoft published a security advisory providing guidance to increase the security for communications between LDAP clients and Active Directory domain controllers. The document introduced the use of LDAP channel binding and ... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
FusionCharts will render here