[c-nsp] NAT timeout

Tuc at T-B-O-H ml at t-b-o-h.net
Fri Oct 3 16:52:18 EDT 2008 

We do something like that, except its linked to the syslog pattern....

event manager applet TRACKING_CHANGE 
 event syslog pattern "TRACKING-5-STATE"
 action 1.0 cli command "enable"
 action 1.1 cli command "clear ip nat translation forced"
 action 2.0 syslog msg "Change ocurred on NAT TRANS"
!

Works nice for the most part. Our VPNs get pissy for a bit, but oh well.

				Tuc/TBOH

> 
> Thank you, guys, =A0for sharing your knowledge. I will research about EEM a=
> pplet and will apply the solution. =
> 
> =A0
> alejandro wainshtok
> =A0
> 
> --- On Thu, 10/2/08, Rodney Dunn <rodunn at cisco.com> wrote:
> 
> From: Rodney Dunn <rodunn at cisco.com>
> Subject: Re: [c-nsp] NAT timeout
> To: "Alex Wa" <awain567 at yahoo.com>
> Cc: cisco-nsp at puck.nether.net
> Date: Thursday, October 2, 2008, 6:20 PM
> 
> The only solution is to hook an EEM applet to that IP SLA probe
> /track as a trigger and do "clear ip nat trans *" when the failover
> and recovery happens.
> 
> It's because of the way the translation is used in the forwarding path
> over the FIB table after the reconvergence.
> 
> Rodney
> 
> On Thu, Oct 02, 2008 at 02:26:04PM -0700, Alex Wa wrote:
> > Hi guys,
> > =A0
> > We have a router configured to work with 2 ISPs, one of them through a
> satelite link. This particular link is beeing monitored with a ip sla and t=
> rack
> commands. when this link fails the default route is deleted automatically f=
> orm
> the routing table, and the backup default route is then installed. We also =
> use
> automatic nat failover. The problem is that some inside servers that always=
>  go
> to the same destination IP/PORT get NATed in the moment the backup link is =
> up,
> and when the primary comes up they go to the internet with the source addre=
> ss
> equal=A0to the backup outside interface. this NAT "lease" stays for
> days beacuse this particular servers are doing icmp every 10 seconds. that
> causes asymetric routing, packets going out through one link and returning
> through the other. When we flush NAT translations everything returns to nor=
> mal,
> of course, but we don't want to have to do it manually.=A0the question is? =
> do
> we need to reduce NAT icmp timeout to less than
> >  10 seconds or there is another solution?. I can provide the config if you
> guys need it.
> > =A0
> > regards,
> > Alejandro wainshtok
> > =A0
> > =A0
> > =A0
> > =
> 
> > =
> 
> >       =
> 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
>       =
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list