09-07-2007 12:35 PM - edited 03-03-2019 06:39 PM
Greetings,
I'm trying to achieve a failover scenario using a multi-homed connection to the same ISP. The problem I'm having is that the Nat translations are not clearing after the primary link fails...then comes back online. When the primary link recovers I'm still seeing traffic going over the back-up link. Any suggestions or comments?
ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.1.1
frequency 5
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
username admin privilege 15 secret xxx
!
!
!
track 1 rtr 1 reachability
!
!
!
!
interface FastEthernet0/0
desc ISP 2 - Backup Connection
ip address 192.168.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1
desc ISP 1 - Primary Connection
ip address 192.168.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface FastEthernet0/3/4
!
interface FastEthernet0/3/5
!
interface FastEthernet0/3/6
!
interface FastEthernet0/3/7
!
interface FastEthernet0/3/8
description LAN
spanning-tree portfast
!
interface Vlan1
desc LAN Subnet
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1000
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 192.168.2.1 5
!
ip http server
no ip http secure-server
!
ip nat inside source route-map primary-nat interface FastEthernet0/0 overload
!
ip nat inside source route-map backup-nat2 interface FastEthernet0/1 overload
!
ip access-list extended nat
permit ip 192.168.0.0 0.0.0.255 any
!
route-map backup-nat2 permit 10
match ip address nat
set interface FastEthernet0/1
!
route-map primary-nat permit 10
match ip address nat
set interface FastEthernet0/0
Solved! Go to Solution.
09-09-2007 01:26 PM
The OER option within the ip nat enables tracking of the route table.
Here is the debug without the OER
R2#
*Sep 9 21:23:00.803: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [25]
*Sep 9 21:23:00.811: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [25]
*Sep 9 21:23:00.811: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [26]
*Sep 9 21:23:00.815: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [26]
*Sep 9 21:23:00.815: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [27]
*Sep 9 21:23:00.815: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [27]
*Sep 9 21:23:00.815: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [28]
*Sep 9 21:23:00.815: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [28]
*Sep 9 21:23:00.815: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [29]
R2#
*Sep 9 21:23:00.819: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [29]
R2#
*Sep 9 21:23:02.931: NAT: expiring 192.168.1.1 (192.168.0.2) icmp 5 (5)
R2#show track
Track 1
Response Time Reporter 1 reachability
Reachability is Down
4 changes, last change 00:00:03
Latest operation return code: Timeout
Tracked by:
ROUTE-MAP 0
STATIC-IP-ROUTING 0
R2#
*Sep 9 21:23:33.807: NAT: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [30]
R2#
*Sep 9 21:23:35.803: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [31]
R2#
*Sep 9 21:23:37.803: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [32]
R2#
*Sep 9 21:23:39.803: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [33]
R2#
*Sep 9 21:23:41.803: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [34]
R2#
*Sep 9 21:23:44.011: NAT: expiring 192.168.1.1 (192.168.0.2) icmp 6 (6)
R2#
___________________
The host 192.168.0.2 received a request time-out on this exercise
______________________
R2#show track
Track 1
Response Time Reporter 1 reachability
Reachability is Up
5 changes, last change 00:00:00
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
ROUTE-MAP 0
STATIC-IP-ROUTING 0
R2#
*Sep 9 21:25:16.799: NAT: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [40]
*Sep 9 21:25:16.799: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [40]
*Sep 9 21:25:16.799: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [41]
*Sep 9 21:25:16.803: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [41]
*Sep 9 21:25:16.803: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [42]
*Sep 9 21:25:16.803: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [42]
*Sep 9 21:25:16.803: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [43]
*Sep 9 21:25:16.803: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [43]
*Sep 9 21:25:16.803: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [44]
R2#
*Sep 9 21:25:16.807: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [44]
R2#
*Sep 9 21:25:19.171: NAT: expiring 192.168.1.1 (192.168.0.2) icmp 8 (8)
R2#
________________
09-09-2007 04:13 PM
Thanks Edison.
Everything seems to be working. My only concern is that when the primary-nat comes back online some connections may stay on the backup-nat. Is their anyway to ensure this doesn't happen?
09-09-2007 05:39 PM
The timeout values on the nat translation should help but it isn't guaranteed.
2 second timeout is very low already and should be use with care. It can add processor overhead into the router. Keep an eye on the CPU for any adverse effect.
As you stated that everything is working, please take a moment to rate the individuals who have worked on this thread.
Thanks !
09-10-2007 03:44 AM
Ok, the CLI help is a little confusing as it shows a reference to vtemplate:
ip nat inside source list 100 interface fa0/0 overload ?
oer Use with vtemplate only. On new translation, if OER BR is UP, OER
will select IP from outgoing Interface. All packets matching
translation are forwarded over Interface for duration of
translation.
portmap Specify Port Map that is to be associated with this mapping
This is not surprising as we know that IOS is very good at being obscure at times. I have never used OER but I see that in this case one can invoke it in the NAT without having configured it explicitly anywhere else in the router. Fine with me!
09-10-2007 04:00 AM
Paolo,
I was trying to dig some documentation in the matter but couldn't.
I came across that option via the CLI online help and gave it a try without a OER template.
It seems to work quite well in conjunction with the IP SLA.
09-10-2007 05:05 AM
Right.
Now I don't remember if you were with cisco previously or it is a new job, in any case congratulations!
I couldn't complete the "ten years" with them but the ones that I spent for sure were quite hectic!
09-10-2007 05:09 AM
Paolo, it's a new job and thanks !
12-12-2007 02:39 AM
I hope you guys don't mind me reviving an old thread. My original query is in http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbed8bd
I read through this whole thread but failed to see how to solve applications where the relatively short NAT translation timeout becomes an issue. My client has applications running in Citrix as well as YM for communications with their clients. And setting the NAT translation timeout to even 30 seconds would cause them to disconnect at seemingly random times.
However, if I leave it at default, the applications becomes stable but the failover does not happen. I may have made a mess of my config so I would appreciate any help.
Attached below is the excerpt of the config where the NAT translation timeouts are configured:
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
interface Serial0/1/1
description ISP2
ip address 2.2.2.1 255.255.255.252
ip nat outside
ip virtual-reassembly
zone-member security out-zone
!
interface Serial0/3/0
description ISP1
ip address 1.1.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly
zone-member security out-zone
!
interface Vlan1
description LAN
ip address 192.168.12.3 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip nat translation timeout 10
ip nat translation tcp-timeout 10
ip nat translation udp-timeout 10
ip nat translation finrst-timeout 10
ip nat translation syn-timeout 10
ip nat translation dns-timeout 10
ip nat translation routemap-entry-timeout 10
ip nat translation icmp-timeout 10
ip nat translation arp-ping-timeout 10
ip nat inside source route-map ISP1 interface Serial0/3/0 overload oer
ip nat inside source route-map ISP2 interface Serial0/1/1 overload oer
!
ip sla 1
icmp-echo 2.2.2.2 source-interface Serial0/1/1
frequency 5
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo 1.1.1.2 source-interface Serial0/3/0
frequency 5
ip sla schedule 2 life forever start-time now
!
route-map ISP1 permit 10
match ip address natlist
set ip next-hop verify-availability 1.1.1.2 2 track 2
!
route-map ISP2 permit 10
match ip address natlist
set ip next-hop verify-availability 2.2.2.2 1 track 1
!
ip access-list extended natlist
permit ip any any
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 2
ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
!
12-12-2007 03:23 PM
Please, let's get back to your thread. This one is deep enough that it's very hard to follow.
10-27-2009 04:24 AM
Thank you very much for this configuration.
I would also like to have static NAT translations for inbound services configured across both ISP links, would i be correct in thinking that i need to use secondary IP Address's on the internal hosts.
ie: Internal Server on IP 192.168.1.10 and a secondary IP of 192.168.1.11.
ip nat inside source static tcp 192.168.1.10 25 interface Ethernet1/0 25
!
ip nat inside source static tcp 192.168.1.11 25 interface Ethernet2/0 25
Regards
10-21-2009 04:06 AM
Hi all, I faced this problem 1 month ago and I resolved it as I used the Event Manager function in Cisco IOS.
Also i agree that the route-maps has to be like this:
!
route-map backup-nat2 permit 10
match ip address nat
match interface FastEthernet0/1
!
route-map primary-nat permit 10
match ip address nat
match interface FastEthernet0/0
!
The Event Manager i configured this way:
!
event manager applet primary-rotute-down
event track 1 state down
action 1.0 cli command "clear ip nat tra *"
!
event manager applet primary-route-up
event track 1 state up
action 1.0 cli command "clear ip nat tra *"
!
So when the primary route goes down (unavailable) the event manager will clear exsisting nat translations and router will make new nat translations over the backup route.
I hope this will help!
Best Regards,
Tihomir Yosifov
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide