Paul,
Have you checked the Bug report at all? I know we need to upgrade these routers for several reasons to the new (22)T2 but not sure at this time. I don't remember well enough from this lab for sure what I tested when it was done. The NAT entries where definitely there or maybe I forgot to save it during all those annoying reboots. I will have to go back to that lab and retest several things like all the crashes on R2 (Which I think is resolved in (22)T2, as I had a similar problem in a lab I am working on but no longer with the new code.) Let me know if you find anything and I will keep you informed of anything I find when I come back to this after finishing some labs that I am about ready to release. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Paul Stewart [mailto:[email protected]] Sent: Saturday, August 01, 2009 10:38 PM To: Tyson Scott Cc: [email protected] Subject: Re: 2a HA Items I have worked with this quite a bit. I understand how it is supposed to work and can get SNAT and stateful CBAC to work well independently of one another. I labbed this up and had the same issues. Everything worked until I go to 2.8. Then SNAT breaks. So I decided to revert and bring in the final configs on R1 and R6. The error went away, but SNAT was broken worse than ever. I noticed that the "ip inspect log drop-pkt" was not in the config (probably not a requirement, but is quite handy). I put that in expecting to see the error. No error, but no SNAT peers either. I decided to remove the ACL and INSPECT from fa0/1.1256. Still no go. Then I noticed that the nat statement is completely missing from the final config on R6. It is also missing in the download from the download area. I added the nat statement and SNAT converged. I went back and merged the rest of the config back in and all was still well. Then stateful CBAC required 2 reboots of R6. At this point with "ip inspect log drop-pkt" enabled, the errors return and stateful NAT is no longer converging. So I don't know if this is a bug or what. However, I'm not sure this lab fully works when you bring 2.8 into the picture. As I mentioned earlier, I do question the stateful ID number. It seems to work even with them both being the same until you actually turn the inspections on in 2.8. However every book and document that I can find that has any detail, says this is used to determine which router created a nat entry and should be unique per router. Basically it is an extra field in a NAT entry. I'm not sure how that matters, unless it gives special rights to the router to delete those tranlations. I guess I am curious if anyone has made certain that CBAC HA was functioning correctly, then rechecked Stateful NAT to see that the child entries were creating? Am I missing something? On Sat, Aug 1, 2009 at 9:50 AM, Paul Stewart <[email protected]> wrote: They are not propogated. However, they even after the the CBAC and the INSPECT HA were configured. Once I rebooted, and a "show redundancy inter-device" showed good, SNAT was no longer propogated. On Sat, Aug 1, 2009 at 9:38 AM, Tyson Scott <[email protected]> wrote: Sorry, Let me correct that. Did you check the Stateful NAT table to see if the entries are properly propegated? Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Friday, July 31, 2009 10:18 PM To: [email protected] Subject: [OSL | CCIE_Security] 2a HA Items I get the following when I combine stateful CBAC and Stateful NAT. When I enable Stateful NAT all is well. Stateful CBAC all is well, until you do the reboot that is required to bring the redundancy scheme into sync. Then it seems as though it breaks the stateful nat. Really in this case, stateful nat is unnecessary, because it is all one to one. However, the directions ask for stateful NAT, so I assume that we need to get it so the child sessions can be created. I guess my question is what is the error below trying to tell me? *Aug 1 03:11:57.213: %FW-6-DROP_PKT: Dropping udp session 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby mode with ip ident 12839 R6# *Aug 1 03:12:27.213: %FW-6-DROP_PKT: Dropping udp session 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby mode with ip ident 13323
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
