Hi,

I have created a redundancy group between two ASR 1001-X routers and sometimes experience a problem where return traffic does not get "un-translated" back to the initiating device of the TCP session. The NAT translation table always looks the same on both routers as expected.

ASR-HUB-01#show ip nat translations redundancy 1

Pro Inside global      Inside local       Outside local      Outside global

tcp 192.168.3.2:5901   192.168.1.3:5900   ---                ---

tcp 192.168.3.2:5902   192.168.5.3:5900   ---                ---

tcp 192.168.3.2:5902   192.168.5.3:5900   192.168.4.2:51561  192.168.4.2:51561

icmp 192.168.3.2:1592  192.168.5.3:1592   192.168.4.2:1592   192.168.4.2:1592

tcp 192.168.3.2:53521  192.168.5.3:53521  192.168.4.2:80     192.168.4.2:80

HTTP, Ping and VNC all work. I can shutdown the LAN and WAN from ASR-1 and all traffic goes to ASR-2 as expected.

However, if I shut down the WAN on one router and the LAN on the other router, in order to make the traffic asymmetric, the return traffic does not pass correctly from the web server to the web client. Also the static NAT for VNC does not work either. However, ping continues to work fine. When this is the case and I keep refreshing the web page, I see a new translation each time, and I think this is just because the browser does not get a response so it keeps starting a new session. Same thing happens for the VNC port forwarding rule.

"redundancy application reload group 1 self" on both routers does not solve the problem but a full reload of IOS-XE does.

"show redundancy application protocol group 1" shows at least one ASR-01 active (the one with the LAN interface up - or ASR-01 if both are up as this has priority 105)

Topology and full configurations attached. 

Any suggestions welcome. 

Could be something to do with "ip nat switchover replication http" ?