cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1229
Views
5
Helpful
5
Replies

Nat overload and IPSLA

davidfield
Level 3
Level 3

Hello All,

I have an issue where I have a router with 2 Wan exit points.  I have setup IPSLA to roll from a 3G connection to a Vsat connection if the 3G internet path is unavailable.  All looks ok and I get reliable route updates in the route table for the failover.  My issue is that the Nat overload route map is not operating correctly.  When I roll from 3G to Vsat traffic flows ok. When the 3G come back online the route is re-entred into the route table but I get no traffic throughput.  When I remove the Vsat Overload statement the traffic flows back out the 3G.  Am I missing something?  Any advise much appreciated

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.99

ip dhcp excluded-address 192.168.2.150 192.168.2.240

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.170 192.168.1.254

!

ip dhcp pool avnet

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1

   dns-server 192.168.2.1

   domain-name X.local

   lease 7

!

ip dhcp pool user_Media

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 192.168.1.1

   domain-name X.local

   lease 3

!

!

ip domain name X.local

ip name-server 192.168.15.1

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

!

archive

log config

  hidekeys

!

!

!

track 1 rtr 1 reachability

delay down 120

!

!

!

interface FastEthernet0

description Uplink to SW1

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

description Uplink to Vsat

switchport access vlan 254

spanning-tree portfast

!

interface FastEthernet4

description Vsat

ip address 4.x.x.162 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description User_Media_Network

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan254

description 3G router

ip address dhcp

ip nat outside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 172.16.4.1 track 1

ip route 0.0.0.0 0.0.0.0 4.x.x.161 100

ip route 8.8.4.4 255.255.255.255 172.16.4.1

!

!

ip nat inside source route-map 3G interface Vlan254 overload

ip nat inside source route-map Vsat interface FastEthernet4 overload

!

ip sla 1

icmp-echo 8.8.4.4 source-interface Vlan254

frequency 5

ip sla schedule 1 life forever start-time now

access-list 1 permit 192.168.0.0 0.0.255.255

!

!

!

route-map Vsat permit 1

match ip address 1

match interface FastEthernet4

!

route-map 3G permit 2

match ip address 1

match interface Vlan254

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

!

1 Accepted Solution

Accepted Solutions

cadet alain
VIP Alumni
VIP Alumni

Hi,

you shoud use local PBR to force the router to always source the ip sla probe from the primary interface:

ip access-list extended SLAPROBE_ACL

permit icmp any host 8.8.4.4

route-map SLAPROBE permit 10

match ip address SLAPROBE_ACL

set ip next-hop x.x.x.x                         where x.x.x.x is next-hop for primary path.

ip local policy route-map SLAPROBE

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

Hi,

you shoud use local PBR to force the router to always source the ip sla probe from the primary interface:

ip access-list extended SLAPROBE_ACL

permit icmp any host 8.8.4.4

route-map SLAPROBE permit 10

match ip address SLAPROBE_ACL

set ip next-hop x.x.x.x                         where x.x.x.x is next-hop for primary path.

ip local policy route-map SLAPROBE

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

davidfield
Level 3
Level 3

Thanks Alain,

Took me a while to getting around to testing this, but it works perfectly.

Regards

David

Hello All,

Alain's assistance certainly helped with the failover which works nicely but I've hit a problem where the end points (PCs) after cut over cannot connect to the internet without flushing the PC's various caches.  I can however start a new browser session on a different machine and all is ok.  Am I missing something here? should as part of my IPSLA setup I flush the sessions?  If so any recommendations on the best way?

Unfortunately my users are able to wait or undertake any remedial work themselves and they just sit there.

Thanks in advance

David

Hi,

you could use EEM to clear the NAT translations( example 3 in this reference 

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/config_guide_eem_configuration_for_cisco_integrated_services_router_platforms.html

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Alian you are the man.  EEM is exactly what I was looking for.  I've not used it before and it looks very powerful as a tool.

Thanks again.

Review Cisco Networking for a $25 gift card