Yes, the HSRP groups were both active on R1. This message was from R6. 9.9.156.11 is R1. The communication that is being dropped is the SNAT updates from R1 to R6. This doesn't happen until a "show redundancy inter-device" shows correctly. For example you I rebooted the devices after configuring CBAC redundancy, enable ip inspect log drop-pkt, and it started showing. Prior to the reboot, SNAT worked properly and created child entries.
Be aware that in the real world stateful nat is not necessary in this scenario for two reasons. First we are doing a net to net static mapping. Therefore, they don't need the mapping-id. Child nodes would create automatically in a failover. Second, the global address would not be arped from an upstream device. Therefore, the "redundancy <standby grp>" does not need to be present to force a response only with the hsrp multicast mac. However, the task states "stateful", so we must create the child entries and this was what I was having issues with. I will probably go through this again and let the group know if it happens again. On Sat, Aug 1, 2009 at 9:34 AM, Tyson Scott <[email protected]> wrote: > Paul, > > > > Are both HSRP Groups active on the correct device? It is dropping traffic > because it doesn’t think it should be passing the traffic. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Paul Stewart > *Sent:* Friday, July 31, 2009 10:18 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] 2a HA Items > > > > I get the following when I combine stateful CBAC and Stateful NAT. When I > enable Stateful NAT all is well. Stateful CBAC all is well, until you do > the reboot that is required to bring the redundancy scheme into sync. Then > it seems as though it breaks the stateful nat. Really in this case, > stateful nat is unnecessary, because it is all one to one. However, the > directions ask for stateful NAT, so I assume that we need to get it so the > child sessions can be created. I guess my question is what is the error > below trying to tell me? > > *Aug 1 03:11:57.213: %FW-6-DROP_PKT: Dropping udp session > 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby mode > with ip ident 12839 > R6# > *Aug 1 03:12:27.213: %FW-6-DROP_PKT: Dropping udp session > 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby mode > with ip ident 13323 >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
