Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1641
Views
0
Helpful
5
Replies

VRRP + static NAT + overloading HA + WAN routing BGP Failover

jbarfield
Level 1
Level 1

‎02-02-2013 02:15 PM - edited ‎03-04-2019 06:55 PM

Good afternoon,

I am having an issue in a newly configured environment that I have setup configured for failover using vrrp on to cisco 1921 routers with ios 15.2.

My data center requires that I use BGP for the WAN side inbound connections and I am using VRRP in my network for outbound connection failover.

VRRP and BGP both appear to work as designed. If I shut down one router the BGP announced network path fails over to the failover router as expected.

Internally the secondary router will pickup the master VRRP address.

The problem that I am having is with NAT.

Static NAT connections will come in through the active router but for some odd reason are being sent out the failover router.

The same thing occurs with NAT overloading connections.

Some users accessing the internet can access the internet fine while others cannot at all.

This is because their traffic detined for the virtual IP address gateway is going to both routers.

Well the problem with this scenario is that the failover router doesn't have the announced IP route unless the primary fails.

sh vrrp brief on the master shows this router as the master and sh vrrp brief on the backup show this router as the backup.

So why on earth is any outbound traffic ever going to the backup router??? I'm pulling my hair out on this one.

I spent last night changing all of my NAT configurations to use stateful NAT with a redudancy group and I thought that it was fixed but then this morning people went into the office and had the same problem.

It would make sense to me if the backup router showed master or something but it doesn't. ARP tables are correct and everything.

I do not want to use HSRP because I don't want to waste any more IP addresses in my inside global scope. I have variably subnetted my global network into seperate VLANS and /30's /29's and so forth.

My configs are very lengthy should I post them publicly? Editing all of the IP's out will be very complex.

Any help is greatly appreciated. I am tearing my hair out here.

Labels:
0 Helpful
5 Replies 5

Abzal
Level 7
Level 7

‎02-02-2013 08:51 PM

Hi John,

Does it happen all the time or just sometime during failover?

Is default gateway on hosts configured correctly? Is it virtual IP?

During this problem try to check ARP cache on hosts that are having issue.

And config of routers would be helpful. Before posting edit your public IPs.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal
0 Helpful

jbarfield
Level 1
Level 1
In response to Abzal

‎02-02-2013 09:10 PM

The minute I turn the failover router on the condition occurs for anyone sitting behind NAT. Or for anyone on the internet trying to connect to the servers behind Static NAT. I was actually thinking that it was an ARP issue but the problem is that all of the ARP tables look correct when the condition occurs.

It's acting almost like a load balancer. which I do not want. All I want is for the secondary router to sit there doing nothing unless the main router goes down.

As I stated in the initial post my config has many interfaces and ACLS and could potentially take a very long time to edit.

What would you think about a scrubbed config shared privately?

I guess that I could just share the relevant interface and NAT configs.

I will post these publicly tomorrow.

I look forward to your thoughts.

0 Helpful

jbarfield
Level 1
Level 1
In response to Abzal

‎02-02-2013 09:19 PM

Sorry I didn't answer all of your questions either.

The default gateway is configured correctly on all hosts.

It is virtual IP.

I use the interface IP as the Vrrp virtual IP default priority 255 on the primary and 100 on the secondary.

0 Helpful

Abzal
Level 7
Level 7
In response to jbarfield

‎02-02-2013 10:05 PM

Ok, I see.

Now let's try this

show vrrp // on both routers, to find out their virtual MAC addresses.

Shutdown primary VRRP router, then after some time turn it back online. And check MAC address table on a switch (I'm assuming they are directly connected to one switch).

Note. On switches MAC addresses default age is 300 second.

show mac adress-table | inc 0000.5E00.01

There should be MAC address of primary VRRP router. If there is still an issue with NAT try to clear MAC address on that switch and see if issue still persists.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal
0 Helpful

jbarfield
Level 1
Level 1
In response to Abzal

‎02-02-2013 10:13 PM

I will try that tomorrow.

They are connected to two different switches.

Router one is connected via l2 port channel to switch one

Router two is connected via l2 port channel to switch two

The switches are extreme networks summit x440 switches connected via summit stacking technology using 40gbps extreme stacking cable.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card