[c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions

Ivan Pepelnjak ip at ioshints.info
Sun Jan 24 12:23:12 EST 2010


Whenever the NAT outside IP address changes, the session has to be killed and restarted as the NAT device cannot signal to the remote end that the outside source IP address has changed.

EEM & "clear ip nat trans *" is probably the cleanest method. You might want to get more specific and use "clear ip nat translation outside <address>" to kill only the NAT translations tied to the failed IP address.

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> -----Original Message-----
> From: Joe Maimon [mailto:jmaimon at ttec.com]
> Sent: Sunday, January 24, 2010 5:06 PM
> To: cisco-nsp
> Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
> sessions
> 
> Hey All,
> 
> So as is commonly talked about, I have seen a number of end user sites
> with simple redundancy service using IOS routers.
> 
> Multiple lines, coulds be the same provider, could be different
> providers, no dynamic routing, different source addresses, uRPF/SAV at
> the provider(s) is to be presumed. CBAC IOS firewall is also in place.
> 
> All this with event object tracking with policy routing and nat based on
> egress works just fine EXCEPT.
> 
> Long lived NAT sessions, especially the UDP ones dont seem to become
> inactive when the egress changes.
> 
> So the VOIP handsets are out of service after either a failover or
> failback. Obviously this is the visible problem symptom.
> 
> I have seen this for ICMP as well for continuous pings.
> 
> I have in place the workaround of using EEM with clear ip nat trans *
> 
> Is there some better way to approach it, other than using dynamic
> routing and routable addresses to eliminate NAT?
> 
> c1700-adventerprisek9-mz.124-25b.bin
> 
> Thanks in advance. Any and all feedback is most welcome.
> 
> Best,
> 
> Joe




More information about the cisco-nsp mailing list