The issue may be the bug below. I took the advice and bounced the interface on R1. This did cause it to converge, then it rebooted because of the CBAC HA. When it came up R6 rebooted. Strange thing is it is now working. This stuff is so flaky. This is like alpha stuff in my opinion. I'd never use this in production.
CSCsy89234 Bug Details SNAT state never converge after reloading or configuring SNAT Symptoms: Stateful Fail-over of Network Address Translation (SNAT) in primary/backup mode does not converge. Conditions: Occurs after a no shut interface following a router reload, and then configure SNAT on the primary router. Workaround: Perform a shut/no shut of the SNAT interface on the primary router. On Sun, Aug 2, 2009 at 12:33 AM, Paul Stewart <[email protected]> wrote: > I've not checked the bug report, but that is a good point. I'll let you > know if I find anything. Thanks for the quick response on a Saturday night. > > > On Sun, Aug 2, 2009 at 12:05 AM, Tyson Scott <[email protected]> wrote: > >> Paul, >> >> >> >> Have you checked the Bug report at all? I know we need to upgrade these >> routers for several reasons to the new (22)T2 but not sure at this time. I >> don’t remember well enough from this lab for sure what I tested when it was >> done. The NAT entries where definitely there or maybe I forgot to save it >> during all those annoying reboots. I will have to go back to that lab and >> retest several things like all the crashes on R2 (Which I think is resolved >> in (22)T2, as I had a similar problem in a lab I am working on but no longer >> with the new code.) Let me know if you find anything and I will keep you >> informed of anything I find when I come back to this after finishing some >> labs that I am about ready to release. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* Paul Stewart [mailto:[email protected]] >> *Sent:* Saturday, August 01, 2009 10:38 PM >> *To:* Tyson Scott >> *Cc:* [email protected] >> *Subject:* Re: 2a HA Items >> >> >> >> I have worked with this quite a bit. I understand how it is supposed to >> work and can get SNAT and stateful CBAC to work well independently of one >> another. I labbed this up and had the same issues. Everything worked until >> I go to 2.8. Then SNAT breaks. >> >> So I decided to revert and bring in the final configs on R1 and R6. The >> error went away, but SNAT was broken worse than ever. I noticed that the >> "ip inspect log drop-pkt" was not in the config (probably not a requirement, >> but is quite handy). I put that in expecting to see the error. No error, >> but no SNAT peers either. I decided to remove the ACL and INSPECT from >> fa0/1.1256. Still no go. Then I noticed that the nat statement is >> completely missing from the final config on R6. It is also missing in the >> download from the download area. >> >> I added the nat statement and SNAT converged. I went back and merged the >> rest of the config back in and all was still well. Then stateful CBAC >> required 2 reboots of R6. At this point with "ip inspect log drop-pkt" >> enabled, the errors return and stateful NAT is no longer converging. >> >> So I don't know if this is a bug or what. However, I'm not sure this lab >> fully works when you bring 2.8 into the picture. As I mentioned earlier, I >> do question the stateful ID number. It seems to work even with them both >> being the same until you actually turn the inspections on in 2.8. However >> every book and document that I can find that has any detail, says this is >> used to determine which router created a nat entry and should be unique per >> router. Basically it is an extra field in a NAT entry. I'm not sure how >> that matters, unless it gives special rights to the router to delete those >> tranlations. >> >> I guess I am curious if anyone has made certain that CBAC HA was >> functioning correctly, then rechecked Stateful NAT to see that the child >> entries were creating? Am I missing something? >> >> >> >> On Sat, Aug 1, 2009 at 9:50 AM, Paul Stewart <[email protected]> >> wrote: >> >> They are not propogated. However, they even after the the CBAC and the >> INSPECT HA were configured. Once I rebooted, and a "show redundancy >> inter-device" showed good, SNAT was no longer propogated. >> >> >> >> On Sat, Aug 1, 2009 at 9:38 AM, Tyson Scott <[email protected]> wrote: >> >> Sorry, >> >> >> >> Let me correct that. Did you check the Stateful NAT table to see if the >> entries are properly propegated? >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S and Security >> >> Technical Instructor - IPexpert, Inc. >> >> >> Telephone: +1.810.326.1444 >> Cell: +1.248.504.7309 >> Fax: +1.810.454.0130 >> Mailto: [email protected] >> >> >> >> Join our free online support and peer group communities: >> http://www.IPexpert.com/communities >> >> >> >> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >> Storage Lab Certifications. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Paul Stewart >> *Sent:* Friday, July 31, 2009 10:18 PM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] 2a HA Items >> >> >> >> I get the following when I combine stateful CBAC and Stateful NAT. When I >> enable Stateful NAT all is well. Stateful CBAC all is well, until you do >> the reboot that is required to bring the redundancy scheme into sync. Then >> it seems as though it breaks the stateful nat. Really in this case, >> stateful nat is unnecessary, because it is all one to one. However, the >> directions ask for stateful NAT, so I assume that we need to get it so the >> child sessions can be created. I guess my question is what is the error >> below trying to tell me? >> >> >> >> *Aug 1 03:11:57.213: %FW-6-DROP_PKT: Dropping udp session >> 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby >> mode with ip ident 12839 >> R6# >> *Aug 1 03:12:27.213: %FW-6-DROP_PKT: Dropping udp session >> 9.9.156.11:15555 9.9.156.6:15555 due to device running in HA standby >> mode with ip ident 13323 >> >> >> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
