Buy or Renew
Buy or Renew
Welcome to the new Cisco Community. LEARN MORE about the updates and what is coming.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

IP SLA to perform failover, but can't fail back because of NAT entries?

Go to solution
ejensenscs
Beginner
Beginner

‎02-14-2012 08:32 AM - last edited on ‎02-01-2022 06:37 AM by Community Manager

I'm trying to set up a router with 2 WANs and use SLA to failover the traffic.  There is no static NAT, just the dynamic NAT(pat).  I want to have traffic bound for one destination use WAN B and all other internet traffic use WAN A.  So the SLA is using ping to hit the gateway on both WANs and failover the traffic from one to the other when it goes down.  It works perfectly.  The problem is the failback.  I plug the 'down' wan back in and the SLA comes up and the routes fail over.  When I do the failover of WAN A it works, but doesn't fail back when WAN A comes back up.  When I get on the router and run

clear ip nat trans *

everything comes back up right away.   This is a 861 router with version c860-universalk9-mz.124-24.T5.bin

 

 

What can I do to clear out the NAT automatically? 

 

or Can I put a command in the SLA config to issue that

clear ip nat trans *

command?

 

 

 

 

 

 

 

track 101 ip sla 1 reachability

!

track 102 ip sla 2 reachability

!

ip route 0.0.0.0 0.0.0.0 100.1.1.1 track 101

ip route 209.209.209.209 255.255.255.255 200.1.1.1 track 102

ip route 0.0.0.0 0.0.0.0 200.1.1.1 10 track 102




ip sla 1

icmp-echo 100.1.1.1 source-ip 100.1.1.2

threshold 3

frequency 5

ip sla schedule 1 start-time now




ip sla 2

icmp-echo 200.1.1.1 source-ip 200.1.1.2

threshold 3

frequency 5

ip sla schedule 2 start-time now

ip sla enable reaction-alerts
Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
lucentmoon
Beginner
Beginner
In response to ejensenscs

‎02-14-2012 01:36 PM - last edited on ‎02-01-2022 06:46 AM by Community Manager

Your config looks fine.  2 options that i can find

 

1) change the nat timeout per protocol as you see fit for your network & let traffic naturally failback on its own as the entries timeout.  Nat translations only timeout if they arent used (by default 24 hours) so you wont be interrupting any traffic IF your nat timeouts are longer than any protocol/connection keepalives you might have on your network

          Pros:  nobodies traffic is disconnected since you arent manually clearing the nat table.  Cons:  you dont have instant failover that you want

see command,

ip nat translation timeout

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056211

 

 

2) An EEM/Tcl script could be used to automatically execute the command when matching specific criteria.  Criteria could be something basic like, When interfaceX goes up/up execute command

clear ip nat trans

I believe there is a running eem/tcl topic somewhere in these cisco forums

          Pros: instant failover & You dont have to touch the router for this issue again. Cons:  you might interrupt some peoples connections/traffic.

see eem/tcl sections

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/12_4t/nm_12_4t_book.html

View solution in original post

9 REPLIES 9

Go to solution
Michael Couture
Beginner
Beginner

‎02-14-2012 09:09 AM

When the link comes back up is the route populated back into the routing table? And what do you have for a NAT statement?

0 Helpful

Go to solution
ejensenscs
Beginner
Beginner
In response to Michael Couture

‎02-14-2012 10:33 AM - last edited on ‎02-01-2022 06:39 AM by Community Manager

The route statements disappear from the

show ip route

output correctly.  The traffic routes correctly, the ip SLA is working just fine.  It's the NAT part that is sticking....

 

Everything works after fail or failback as soon as I issue the

clear ip nat trans*

command.

 

 

 

ip nat inside source route-map priISP interface Vlan3 overload

ip nat inside source route-map secISP interface FastEthernet4 overload




route-map priISP permit 10

match ip address 103

match interface Vlan3

!

route-map secISP permit 10

match ip address 103

match interface FastEthernet4




access-list 103 permit ip 192.168.1.0 0.0.0.255 any

Go to solution
rizwanr74
Rising star
Rising star
In response to Michael Couture

‎02-14-2012 10:34 AM - last edited on ‎02-01-2022 06:40 AM by Community Manager

Please change this and try...

 

track 101 ip sla 1 reachability

delay down 10 up 10







ip sla 1

icmp-echo 100.1.1.1 source-ip 100.1.1.2

timeout 20000
threshold 3
frequency 5

ip sla schedule 1 start-time now


----------------------------------------------

 

Remove this lines...

 

ip route 209.209.209.209 255.255.255.255 200.1.1.1 track 102

track 102 ip sla 2 reachability




ip sla 2

icmp-echo 200.1.1.1 source-ip 200.1.1.2

threshold 3

frequency 5

ip sla schedule 2 start-time now

ip sla enable reaction-alerts


 

 

 

Let me know the results

 

 

thanks

Rizwan Rafeek

0 Helpful