Solved: NAT Timeout for Failover w/ Dual ISPs

ualbdp2c1 · ‎02-04-2014

I have failover configured, tested, and verified using IP SLA, policy-based routing, and NAT failover as outlined in this guide:

http://docwiki.cisco.com/wiki/NAT_failover_with_DUAL_ISP_on_a_router_Configuration_Example

The problem is it takes about 60 seconds for active nat translations to timeout. Is there a recommended way to shorten this length of time other than changing the NAT timeout value globally?

Platform: 2921

IOS: 15.2(4) M4

Topology:

------------- ISP1 -------------

| |

| Int Gi0/1 |

LAN -- WAN router Internet

| Int Gi0/2 |

| |

------------- ISP2 -------------

Config:

ip sla 1

icmp-echo 1.1.1.1 source-ip 1.1.1.2

threshold 250

timeout 900

frequency 3

ip sla schedule 1 life forever start-time now

!

ip sla 2

icmp-echo 2.2.2.1 source-ip 2.2.2.2

threshold 250

timeout 900

frequency 3

ip sla schedule 2 life forever start-time now

!

track 1 ip sla 1 reachability

!

track 2 ip sla 2 reachability

!

ip access-list extended Default-Traffic-PBR

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

!

ip access-list extended Media-Lab-PBR

deny ip 192.168.19.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 192.168.19.0 0.0.0.255 any

!

route-map Default-Traffic-PBR permit 10

match ip address Default-Traffic-PBR

set ip next-hop 2.2.2.1 10 track 2

set ip next-hop 1.1.1.1 20 track 1

!

route-map Media-Lab-PBR permit 10

match ip address Media-Lab-PBR

set ip next-hop 1.1.1.1 10 track 1

set ip next-hop 2.2.2.1 20 track 2

!

ip local policy route-map Default-Traffic-PBR

!

interface GigabitEthernet0/0.16

ip policy route-map Default-Traffic-PBR

!

interface GigabitEthernet0/0.19

ip policy route-map Media-Lab-PBR

!

! NAT CONFIGURATION

!

ip access-list extended NAT_ACL

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

!

route-map ISP1_NAT permit 10

match ip address NAT_ACL

match interface GigabitEthernet0/1

!

route-map ISP2_NAT permit 10

match ip address NAT_ACL

match interface GigabitEthernet0/2

!

ip nat inside source route-map ISP1_NAT interface GigabitEthernet0/1 overload

!

ip nat inside source route-map ISP2_NAT interface GigabitEthernet0/2 overload

!

end

Vishesh Verma · ‎02-04-2014

Hi,

You can use following EEM script to help in your case.

!

event manager applet NAT-TRACK

event syslog pattern "TRACKING-5-STATE"

action 0.1 cli command "enable"

action 0.2 wait 3

action 0.3 cli command "clear ip nat translations *"

action 0.4 syslog msg "NAT translation cleared after track state change"

!

Hope it helps...!!!

View solution in original post

Vishesh Verma · ‎02-04-2014

Hi,

You can use following EEM script to help in your case.

!

event manager applet NAT-TRACK

event syslog pattern "TRACKING-5-STATE"

action 0.1 cli command "enable"

action 0.2 wait 3

action 0.3 cli command "clear ip nat translations *"

action 0.4 syslog msg "NAT translation cleared after track state change"

!

Hope it helps...!!!

ualbdp2c1 · ‎02-04-2014

Vishesh,

Many thanks for the reply. I think this will work for us. Just one follow-up question... I'm assuming it's not advised to delete the translations for the connection that is still active. For example, that translation table has entries for both ISP 1 and ISP 2. ISP 1 goes down, so only delete translations where ISP 1 is the inside global address.

Do you agree?

Thanks again,

Brad

Vishesh Verma · ‎02-05-2014

Brad,

Yes, you can use clear ip nat inside in the eem to suit your requirement.

-Vishesh

ualbdp2c1 · ‎02-05-2014

Great. Many thanks for the assistance!

NAT Timeout for Failover w/ Dual ISPs

Cisco 3560 Dual ISP Failover help

NAT Timeout for Failover w/ Dual ISPs

Configure Dual ISP Failover for FTD Managed by FMC

Firewall 1210 isp failover

Dual ISP BGP dual router auto failover