Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3984
Views
75
Helpful
33
Replies

EEM nat overload weirdness

Patrick McHenry
Level 4
Level 4

‎08-27-2012 01:20 PM - edited ‎03-07-2019 08:33 AM

I've configured the EEM to bring up a backup interface. In the EEM config, I have - action A37 cli command "ip nat inside source list nat_acl interface GigabitEthernet0/2 overload". This makes g0/2 the source of the nat translations. When I fail back to the primary interface g0/0, I  have action A35 cli command "ip nat inside source list nat_acl interface GigabitEthernet0/0 overload", but it doesn't seem to take.

And when I do a "show run | i nat", I get: " ip nat inside source list nat_acl interface GigabitEthernet0/2 overload'

But the weird thing is that it still works. I have a phone and a laptop connected to it and can make calls and the laptop can traverse the Internet. Does the router just use the interface that is available?     

Any ideas why this still works and any ideas how I can get EEM to change the nat list?

Thanks, Pat.

Labels:
0 Helpful
33 Replies 33

Patrick McHenry
Level 4
Level 4
In response to John Blakley

‎08-28-2012 02:16 PM

what is the default?

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎08-28-2012 02:47 PM

The default is 20 seconds as far as I know...

HTH, John *** Please rate all useful posts ***

Patrick McHenry
Level 4
Level 4
In response to John Blakley

‎08-29-2012 09:14 AM

I changed the maxrun as you suggested but, it still fails:

.Aug 29 12:01:01 EST-DST: %HA_EM-6-LOG: FAIL_TO_BACKUP_INTERFACE : DEBUG(cli_lib) : : IN  : mchenry(config)#no ip nat inside source list nat_acl interface GigabitEthernet0/0 overload

.Aug 29 12:01:01 EST-DST: %HA_EM-6-LOG: FAIL_TO_BACKUP_INTERFACE : DEBUG(cli_lib) : : OUT :

.Aug 29 12:01:01 EST-DST: %HA_EM-6-LOG: FAIL_TO_BACKUP_INTERFACE : DEBUG(cli_lib) : : OUT : Dynamic mapping in use, do you want to delete all entries? [no]:

.Aug 29 12:01:01 EST-DST: %HA_EM-6-LOG: FAIL_TO_BACKUP_INTERFACE : DEBUG(cli_lib) : : IN  : yes

.Aug 29 12:01:01 EST-DST: %HA_EM-6-LOG: FAIL_TO_BACKUP_INTERFACE : DEBUG(cli_lib) : : OUT : %Error: Dynamic mapping still in use, cannot remove

.Aug 29 12:01:01 EST-DST: %HA_EM-6-LOG: FAIL_TO_BACKUP_INTERFACE : DEBUG(cli_lib) : : OUT : mchenry(config)#

.Aug 29 12:01:01 EST-DST: %HA_EM-6-LOG: FAIL_TO_BACKUP_INTERFACE : DEBUG(cli_lib) : : IN  : mchenry(config)#ip nat inside source list nat_acl interface GigabitEthernet0/2 overload

.Aug 29 12:01:01 EST-DST: %HA_EM-6-LOG: FAIL_TO_BACKUP_INTERFACE : DEBUG(cli_lib) : : OUT : %Dynamic mapping in use, cannot change

I also tried to do it manually and stiil won't let me.

mchenry#clear ip nat trans *
mchenry#config t
Enter configuration commands, one per line.  End with CNTL/Z.
mchenry(config)#no ip nat inside source list nat_acl interface GigabitEthernet$

Dynamic mapping in use, do you want to delete all entries? [no]: yes
%Error: Dynamic mapping still in use, cannot remove
mchenry(config)#

How can I remove those dynamic mappings?

Thanks  Pat

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎08-29-2012 09:31 AM

Here are a couple of methods:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094422.shtml

You could try to delete the mappings manually using these methods (generally removing nat configuration all together, and then you could put those lines into your script.

HTH, John *** Please rate all useful posts ***

Patrick McHenry
Level 4
Level 4
In response to John Blakley

‎08-29-2012 09:39 AM

I was just on that same web page. I tried what they suggest. I also did all that and deleted the nat_acl before.

It seems no matter what I do the translations still exist.

Thanks, Pat

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎08-29-2012 09:40 AM

Hmm..what version IOS are you on and the platform? Is this a test unit or production? What happens if you pull the nat inside line off of the interface? Do translations still show?

HTH, John *** Please rate all useful posts ***

Patrick McHenry
Level 4
Level 4
In response to John Blakley

‎08-29-2012 09:43 AM

This is test

Cisco 2951

image: flash0:c2951-universalk9-mz.SPA.151-4.M2.bin

0 Helpful

Patrick McHenry
Level 4
Level 4
In response to John Blakley

‎08-29-2012 09:44 AM

mchenry#sh ip nat trans

mchenry#

There is nothing there

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎08-29-2012 09:53 AM

So, you can't delete translations that aren't there or were you able to succesfully delete them?

HTH, John *** Please rate all useful posts ***

Patrick McHenry
Level 4
Level 4
In response to John Blakley

‎08-29-2012 09:55 AM

It looks like I delete them but, am not really deleteing thm. Could they be static?

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎08-29-2012 09:59 AM

Your static addresses will show up in the translation table even after clearing the translations. I'm looking for a bug, but I can't find one that deals with that version. I would probably suggest trying to update the ios to see if that helps.

One other question though, what do you get if you do a "show ip nat nvi translati"

HTH, John *** Please rate all useful posts ***

Patrick McHenry
Level 4
Level 4
In response to John Blakley

‎08-29-2012 10:06 AM

Nothing:

mchenry#show ip nat nvi translati

mchenry#

mchenry#

But I did a "no ip nat outside' on the g0/0 interface and this is the message I got.

Aug 29 13:04:07.588 EST-DST: %IP_VFR-7-FEATURE_STATUS_IN: VFR(in) is being used by other features. Will be disabled when no other feature needs VFR support on interface GigabitEthernet0/0

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎08-29-2012 11:53 AM

Can you post the interface for both outside and inside minus the ip addressing?

HTH, John *** Please rate all useful posts ***

Patrick McHenry
Level 4
Level 4
In response to John Blakley

‎08-29-2012 12:20 PM

I hope this is what you wanted - no sure. The VPN is dynamic - so no public address.

interface GigabitEthernet0/0

description $ES_WAN$$FW_OUTSIDE$

no ip dhcp client request tftp-server-address

ip address dhcp

ip access-group fw_acl in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

service-policy output shaper

!

interface GigabitEthernet0/1

description Corporate Access

ip address 172.17.0.17 255.255.255.240

ip access-group 100 in

no ip redirects

no ip unreachables

ip nat inside

ip inspect cvo-inspect in

ip virtual-reassembly in

ip tcp adjust-mss 1360

shutdown

duplex auto

speed auto

service-policy input mark_incoming_traffic

!

interface GigabitEthernet0/2

description $ES_WAN$$FW_OUTSIDE$

no ip dhcp client request tftp-server-address

ip address dhcp

ip access-group fw_acl in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

service-policy output shaper

!

Thank you, Pat.

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Patrick McHenry

‎08-29-2012 12:23 PM

Hmmm...You could try removing ip virtual-reassembly from the interface before doing nat. That's where the VFR comes from...Then try to disable nat on the interface.

HTH, John *** Please rate all useful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card