09-07-2007 12:35 PM - edited 03-03-2019 06:39 PM
Greetings,
I'm trying to achieve a failover scenario using a multi-homed connection to the same ISP. The problem I'm having is that the Nat translations are not clearing after the primary link fails...then comes back online. When the primary link recovers I'm still seeing traffic going over the back-up link. Any suggestions or comments?
ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.1.1
frequency 5
ip sla monitor schedule 1 life forever start-time now
!
!
!
!
username admin privilege 15 secret xxx
!
!
!
track 1 rtr 1 reachability
!
!
!
!
interface FastEthernet0/0
desc ISP 2 - Backup Connection
ip address 192.168.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1
desc ISP 1 - Primary Connection
ip address 192.168.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface FastEthernet0/3/4
!
interface FastEthernet0/3/5
!
interface FastEthernet0/3/6
!
interface FastEthernet0/3/7
!
interface FastEthernet0/3/8
description LAN
spanning-tree portfast
!
interface Vlan1
desc LAN Subnet
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1000
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 192.168.2.1 5
!
ip http server
no ip http secure-server
!
ip nat inside source route-map primary-nat interface FastEthernet0/0 overload
!
ip nat inside source route-map backup-nat2 interface FastEthernet0/1 overload
!
ip access-list extended nat
permit ip 192.168.0.0 0.0.0.255 any
!
route-map backup-nat2 permit 10
match ip address nat
set interface FastEthernet0/1
!
route-map primary-nat permit 10
match ip address nat
set interface FastEthernet0/0
Solved! Go to Solution.
09-08-2007 03:31 PM
Let me first start off by thanking both of you for your posts/comments :)
I tried some testing today using the 'ip verify-reachability' and I still had the same problem. I'm going back into work tomorrow to test this scenario again.
I will re-test using the 'ip verify-reachability' again (+ updated code) and Mohammeds suggestion with the second route being tracked and not using it as a floating static route.
09-08-2007 03:40 PM
Hi,
You are very welcomed :) Please try changing the route-maps as follows:
!
route-map primary-nat permit 10
match ip address nat
match interface FastEthernet0/0
!
route-map backup-nat2 permit 10
match ip address nat
match interface FastEthernet0/1
!
BR,
Mohammed Mahmoud.
09-08-2007 08:14 PM
I got a config that works. The only caveat is that you need the T train for oer support in the ip nat translation.
You will also need to play around with the 'ip nat translation time-out'
_______________________
ip sla 1
icmp-echo 192.168.1.2
frequency 5
ip sla schedule 1 life forever start-time now
track 1 rtr 1 reachability
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
interface Ethernet2/0
ip address 192.168.2.1 255.255.255.0
ip nat outside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 1
ip route 0.0.0.0 0.0.0.0 192.168.2.2 5
ip nat inside source route-map backup-nat interface Ethernet2/0 overload oer
ip nat inside source route-map primary-nat interface Ethernet1/0 overload oer
ip nat translation timeout 2
ip nat translation tcp-timeout 2
ip nat translation udp-timeout 2
ip nat translation icmp-timeout 2
ip access-list extended nat
permit ip 192.168.0.0 0.0.0.255 any
route-map primary-nat permit 10
match ip address nat
set ip next-hop verify-availability 192.168.1.2 1 track 1
!
route-map backup-nat permit 10
match ip address nat
set ip next-hop 192.168.2.2
____________________
Verification:
First going over the primary ISP
R2#show trac
Track 1
Response Time Reporter 1 reachability
Reachability is Up
7 changes, last change 00:00:10
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
ROUTE-MAP 0
STATIC-IP-ROUTING 0
R2#show ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 192.168.1.1:15 192.168.0.2:15 10.10.10.2:15 10.10.10.2:15
Now going over the backup ISP
R2#show trac
Track 1
Response Time Reporter 1 reachability
Reachability is Down
8 changes, last change 00:00:00
Latest operation return code: Timeout
Tracked by:
ROUTE-MAP 0
STATIC-IP-ROUTING 0
R2#show ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 192.168.2.1:16 192.168.0.2:16 10.10.10.2:16 10.10.10.2:16
09-09-2007 11:27 AM
Hi,
Kindly find the result of my approach attached.
When the primary route is in the routing table:
Sep 8 23:57:17.703: NAT: map match primary
When the primary route is removed from the routing table (tracked via sla) and the backup route is inserted:
Sep 9 00:13:43.363: NAT: map match backup
One thing is for sure you need to play with the following to enhance the down time (plus you must also play with the frequency and timeout of the SLA):
ip sla monitor 1
type echo protocol ipIcmpEcho 155.1.146.2
timeout 1000 (default 5000msec)
frequency 3 (default 60sec)
ip sla monitor schedule 1 start-time now life forever
track 1 rtr 1 reachability
ip nat translation timeout 2 (default 60sec)
ip nat translation tcp-timeout 2 (default 60sec)
ip nat translation udp-timeout 2 (default 60sec)
ip nat translation icmp-timeout 2 (default 60sec)
HTH,
Mohammed Mahmoud.
09-09-2007 11:52 AM
Hi,
Another test results making sure that the default route is the route used in both cases:
NOTE: In this test since i am pinging a bogus ip 10.10.10.1 (to make sure that it will use the default route) which gives timeout, in order for me to be able to print the show ip nat translation and the expiring entry for illustrations i defaulted the nat timeout to 60 seconds.
Rack1R1#ping 10.10.10.1 source Serial1/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 155.1.0.1
Sep 9 00:39:18.823: NAT: map match primary
Sep 9 00:39:18.823: NAT: [0] Allocated Port for 155.1.0.1 -> 155.1.146.1: wanted 74 got 74
Sep 9 00:39:18.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1068]
Sep 9 00:39:18.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1068].
Sep 9 00:39:20.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1070]
Sep 9 00:39:20.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1070].
Sep 9 00:39:22.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1071]
Sep 9 00:39:22.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1071].
Sep 9 00:39:24.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1073]
Sep 9 00:39:24.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1073].
Sep 9 00:39:26.823: NAT: i: icmp (155.1.0.1, 74) -> (10.10.10.1, 74) [1075]
Sep 9 00:39:26.823: NAT: s=155.1.0.1->155.1.146.1, d=10.10.10.1 [1075].
Success rate is 0 percent (0/5)
Rack1R1#
Rack1R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 155.1.146.1:74 155.1.0.1:74 10.10.10.1:74 10.10.10.1:74
Rack1R1#
Sep 9 00:40:27.127: NAT: expiring 155.1.146.1 (155.1.0.1) icmp 74 (74)
Rack1R1#
After the primary route fails:
Rack1R1#
Rack1R1#ping 10.10.10.1 source Serial1/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 155.1.0.1
Sep 9 00:41:01.399: NAT: map match backup
Sep 9 00:41:01.399: NAT: [0] Allocated Port for 155.1.0.1 -> 155.1.147.1: wanted 75 got 75
Sep 9 00:41:01.399: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1107]
Sep 9 00:41:01.399: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1107].
Sep 9 00:41:03.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1109]
Sep 9 00:41:03.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1109].
Sep 9 00:41:05.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1111]
Sep 9 00:41:05.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1111].
Sep 9 00:41:07.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1112]
Sep 9 00:41:07.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1112].
Sep 9 00:41:09.395: NAT: i: icmp (155.1.0.1, 75) -> (10.10.10.1, 75) [1114]
Sep 9 00:41:09.395: NAT: s=155.1.0.1->155.1.147.1, d=10.10.10.1 [1114].
Success rate is 0 percent (0/5)
Rack1R1#
Rack1R1#
Rack1R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 155.1.147.1:75 155.1.0.1:75 10.10.10.1:75 10.10.10.1:75
Rack1R1#
Rack1R1#
Rack1R1#
Sep 9 00:42:09.543: NAT: expiring 155.1.147.1 (155.1.0.1) icmp 75 (75)
HTH,
Mohammed Mahmoud.
09-09-2007 12:55 PM
Mohammed,
I noticed your testing and I thank you very much for all your assistance...you too Edison :). After the primary route fails and the backup takes over everything works fine...I didn't see anything in your tests that show what happens when the primary route is restored?
Because the backup route was the last route to be active will the traffic still be sent out the backup route since NAT translations have already been established?
09-09-2007 01:21 PM
Jeff,
Here is the debug from ip nat based on my config (please note the timestamp on how quick it recovers)
R2#
*Sep 9 21:15:31.703: NAT: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [1]
*Sep 9 21:15:31.703: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [1]
*Sep 9 21:15:31.703: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [2]
*Sep 9 21:15:31.703: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [2]
*Sep 9 21:15:31.703: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [3]
*Sep 9 21:15:31.707: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [3]
*Sep 9 21:15:31.707: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [4]
*Sep 9 21:15:31.707: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [4]
R2#
*Sep 9 21:15:34.039: NAT: expiring 192.168.1.1 (192.168.0.2) icmp 0 (0)
R2#show track
Track 1
Response Time Reporter 1 reachability
Reachability is Up
1 change, last change 00:06:49
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
ROUTE-MAP 0
STATIC-IP-ROUTING 0
R2#show track
Track 1
Response Time Reporter 1 reachability
Reachability is Down
2 changes, last change 00:00:26
Latest operation return code: Timeout
Tracked by:
ROUTE-MAP 0
STATIC-IP-ROUTING 0
R2#
*Sep 9 21:18:00.899: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [10]
*Sep 9 21:18:00.903: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [10]
*Sep 9 21:18:00.903: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [11]
*Sep 9 21:18:00.903: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [11]
*Sep 9 21:18:00.903: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [12]
*Sep 9 21:18:00.903: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [12]
*Sep 9 21:18:00.903: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [13]
*Sep 9 21:18:00.907: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [13]
*Sep 9 21:18:00.907: NAT*: s=192.168.0.2->192.168.2.1, d=10.10.10.2 [14]
R2#
*Sep 9 21:18:00.907: NAT*: s=10.10.10.2, d=192.168.2.1->192.168.0.2 [14]
R2#
*Sep 9 21:18:03.343: NAT: expiring 192.168.2.1 (192.168.0.2) icmp 2 (2)
R2#
R2#show track
Track 1
Response Time Reporter 1 reachability
Reachability is Up
3 changes, last change 00:00:03
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
ROUTE-MAP 0
STATIC-IP-ROUTING 0
R2#
*Sep 9 21:18:50.519: NAT: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [20]
*Sep 9 21:18:50.523: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [20]
*Sep 9 21:18:50.523: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [21]
*Sep 9 21:18:50.523: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [21]
*Sep 9 21:18:50.523: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [22]
*Sep 9 21:18:50.523: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [22]
*Sep 9 21:18:50.527: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [23]
*Sep 9 21:18:50.527: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [23]
*Sep 9 21:18:50.527: NAT*: s=192.168.0.2->192.168.1.1, d=10.10.10.2 [24]
R2#
*Sep 9 21:18:50.527: NAT*: s=10.10.10.2, d=192.168.1.1->192.168.0.2 [24]
R2#
*Sep 9 21:18:52.579: NAT: expiring 192.168.1.1 (192.168.0.2) icmp 4 (4)
R2#
09-13-2007 06:55 AM
Hi,
Just adding up some queries. I believe that your using dynamic translation. But what happens if your using a static NAT entry? Would it still failover based on the route maps?
09-13-2007 07:27 AM
The problem with Static NAT is that you don't have the overload option which is needed for the oer.
I have static NAT has the redundancy operation but I will have to lab it up.
I won't have time until later next week.
09-13-2007 08:05 AM
I have this scenario, but this time with 3 ISP each have its own router. Those 3 routers is connected to another router (to handle the NAT translation). The NAT Router is connected to a layer 2 switch. Here is the scenario, The NAT Router is a 7204 Router with 4 Ethernet Interface, 1. Digitel 2. FiberCity 3. IPLC 4. Layer2 switch. I have created a 3 static routes on NAT Router and 4 subinterface to support multiple public IP and private IP addresses.
Objectives:
1. NAT failover
Questions:
1. Are my static routes on the NAT Router correct? I have use a private IP address between 4 routers. This is my lab work, and all of these are for test purposes only. For example my server IP address is 202.118.140.68 can it still be routed to the internet? Im getting confused here.
2. This configuration are not yet tested because im lack of equipments. So i am using only a network simulator. Anyway, On the NAT part. I will try to use your suggestions.
3. Are there any conflict on my configuration?
See attachements for my network topology and configurations on my router.
Thanks in advance
09-13-2007 08:06 AM
09-13-2007 08:18 AM
The problem you may be facing;
if ISP '1' goes down and you configure some kind of redundancy for static NAT, then the inside device will route over to ISP '2'.
However, you need to know what kind of services this inside device is providing. External sources need to point to the new external IP. How are you planning to accomplish this ?
That's the reason is much easier with dynamic NAT. External devices don't need to know how to reach your internal network.
09-13-2007 08:26 AM
On the static NAT were using a different kind of servers. Like Call Center Application, SIP Proxy, PBX Proxy, FTP, DB and so on.
I think its better to prepare each static NAT translation for backup. Just in case on of the ISP goes down.
Right now my concerns are will my dynamic NAT works with this configuration? and if I use a static Public IP addresses can it still be routed to the internet properly without conflict on my static route entries?
09-13-2007 09:18 AM
I can't give you a definite answer until I have a chance to lab it up.
I also suggest you start putting a config together for sharing and we can start from there as a template.
09-09-2007 12:23 PM
Interesting. Edison, would you explain the OER part for someone like me that has read already too much cisco documentation ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide