Thanks for the response.
The nat is inside nat of course.
After the routing and egress changes, the router should be well aware
that continued traffic no longer matches the
ip nat inside source route-map ISPA Di1 overload
and now matches the
ip nat inside source route-map ISPB Di2 overload
for a simplistic example.
So the old translations are no longer valid with the new egress. They
should be abandoned and new ones created.
However, the router continues to send the traffic out the new interface
with the nat session and translation setup when the egress was the old
interface.
New sessions work just fine.
This isnt a problem for web browsing and possibly not for most other TCP
sessions. "Stateless" sessions such as UDP and ICMP seem to be most
problematic.
And I would be quite happy clearing just the translations for the
"wrong" global for all local inside translations, but syntax does not
seem to allow that.
clear ip nat inside a.b.c.d * would be quite nice.
Ivan Pepelnjak wrote:
Whenever the NAT outside IP address changes, the session has to be killed and
restarted as the NAT device cannot signal to the remote end that the outside
source IP address has changed.
EEM& "clear ip nat trans *" is probably the cleanest method. You might want to get more
specific and use "clear ip nat translation outside<address>" to kill only the NAT
translations tied to the failed IP address.
Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info
-----Original Message-----
From: Joe Maimon [mailto:jmai...@ttec.com]
Sent: Sunday, January 24, 2010 5:06 PM
To: cisco-nsp
Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
sessions
Hey All,
So as is commonly talked about, I have seen a number of end user sites
with simple redundancy service using IOS routers.
Multiple lines, coulds be the same provider, could be different
providers, no dynamic routing, different source addresses, uRPF/SAV at
the provider(s) is to be presumed. CBAC IOS firewall is also in place.
All this with event object tracking with policy routing and nat based on
egress works just fine EXCEPT.
Long lived NAT sessions, especially the UDP ones dont seem to become
inactive when the egress changes.
So the VOIP handsets are out of service after either a failover or
failback. Obviously this is the visible problem symptom.
I have seen this for ICMP as well for continuous pings.
I have in place the workaround of using EEM with clear ip nat trans *
Is there some better way to approach it, other than using dynamic
routing and routable addresses to eliminate NAT?
c1700-adventerprisek9-mz.124-25b.bin
Thanks in advance. Any and all feedback is most welcome.
Best,
Joe
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
