They are not propogated. However, they even after the the CBAC and the INSPECT HA were configured. Once I rebooted, and a "show redundancy inter-device" showed good, SNAT was no longer propogated.
On Sat, Aug 1, 2009 at 9:38 AM, Tyson Scott <[email protected]> wrote: > Sorry, > > > > Let me correct that. Did you check the Stateful NAT table to see if the > entries are properly propegated? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Paul Stewart > *Sent:* Friday, July 31, 2009 10:18 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] 2a HA Items > > > > I get the following when I combine stateful CBAC and Stateful NAT. When I > enable Stateful NAT all is well. Stateful CBAC all is well, until you do > the reboot that is required to bring the redundancy scheme into sync. Then > it seems as though it breaks the stateful nat. Really in this case, > stateful nat is unnecessary, because it is all one to one. However, the > directions ask for stateful NAT, so I assume that we need to get it so the > child sessions can be created. I guess my question is what is the error > below trying to tell me? > > > *Aug 1 03:11:57.213: %FW-6-DROP_PKT: Dropping udp session > 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby mode > with ip ident 12839 > R6# > *Aug 1 03:12:27.213: %FW-6-DROP_PKT: Dropping udp session > 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby mode > with ip ident 13323 >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
