[c-nsp] NAT timeout

Alex Wa awain567 at yahoo.com
Fri Oct 3 12:07:38 EDT 2008 

Thank you, guys,  for sharing your knowledge. I will research about EEM applet and will apply the solution. 
 
alejandro wainshtok
 

--- On Thu, 10/2/08, Rodney Dunn <rodunn at cisco.com> wrote:

From: Rodney Dunn <rodunn at cisco.com>
Subject: Re: [c-nsp] NAT timeout
To: "Alex Wa" <awain567 at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Date: Thursday, October 2, 2008, 6:20 PM

The only solution is to hook an EEM applet to that IP SLA probe
/track as a trigger and do "clear ip nat trans *" when the failover
and recovery happens.

It's because of the way the translation is used in the forwarding path
over the FIB table after the reconvergence.

Rodney

On Thu, Oct 02, 2008 at 02:26:04PM -0700, Alex Wa wrote:
> Hi guys,
>  
> We have a router configured to work with 2 ISPs, one of them through a
satelite link. This particular link is beeing monitored with a ip sla and track
commands. when this link fails the default route is deleted automatically form
the routing table, and the backup default route is then installed. We also use
automatic nat failover. The problem is that some inside servers that always go
to the same destination IP/PORT get NATed in the moment the backup link is up,
and when the primary comes up they go to the internet with the source address
equal to the backup outside interface. this NAT "lease" stays for
days beacuse this particular servers are doing icmp every 10 seconds. that
causes asymetric routing, packets going out through one link and returning
through the other. When we flush NAT translations everything returns to normal,
of course, but we don't want to have to do it manually. the question is? do
we need to reduce NAT icmp timeout to less than
>  10 seconds or there is another solution?. I can provide the config if you
guys need it.
>  
> regards,
> Alejandro wainshtok
>  
>  
>  
> 
> 
>       
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list