Re: ISP failover and PAT connections

maltuna · ‎04-02-2009

Ok, so I have an 2811 router that has IOS Firewall in it. Router is doing PAT for inside hosts, and is connected to two ISPs.

Solution desired is that one of the ISPs get used as a "backup". So SLA policies go in, and voilla. It fails over and starts using the backup isp, until that backup isp comes back up (via a pingable address in their network).

The only trouble in paradise is this:

Existing PAT translations do not get cleared, and so devices that are talking constantly (such as SIP devices) always have existing translations, and thus do not appear to fail over until they somehow create a new xlate (for example, rebooting a sip device).

Is there a way, in conjunction with ip sla policies, to force a clearing of all ip nat trans * ? Or, failing that, something else I should be using to get that functionality out of this failover scenario?

Thanks in advance for your help.

Edison Ortiz · ‎04-09-2009

You can be aggressive on the 'nat translation time-out', which by default and depending of the port can be up to 24hrs.

http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html#wp1013201

HTH,

__

Edison.

paolo bevilacqua · ‎04-09-2009

Wasn't the magic "oer" keyword in nat statement supposed to resolve this ?

Edison Ortiz · ‎04-09-2009

Yes, you are triggering my memory. I did a lab, which you were a thread participant, on this subject.

The problem with 'oer' is that is only available on selected trains.

I can't exactly recall if 'oer' on itself takes care of it. I believe on that lab, I had to use aggressive time-out as well.

__

Edison.

Robert Ho · ‎04-30-2010

am having the same issue; anyone know a fix for this?