[c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions

Sun Jan 24 13:25:49 EST 2010

Thanks for the response.

The nat is inside nat of course.

After the routing and egress changes, the router should be well aware 
that continued traffic no longer matches the

ip nat inside source route-map ISPA Di1 overload

and now matches the

ip nat inside source route-map ISPB Di2 overload

for a simplistic example.

So the old translations are no longer valid with the new egress. They 
should be abandoned and new ones created.

However, the router continues to send the traffic out the new interface 
with the nat session and translation setup when the egress was the old 
interface.

New sessions work just fine.

This isnt a problem for web browsing and possibly not for most other TCP 
sessions. "Stateless" sessions such as UDP and ICMP seem to be most 
problematic.

And I would be quite happy clearing just the translations for the 
"wrong" global for all local inside translations, but syntax does not 
seem to allow that.

clear ip nat inside a.b.c.d * would be quite nice.

Ivan Pepelnjak wrote:
> Whenever the NAT outside IP address changes, the session has to be killed and restarted as the NAT device cannot signal to the remote end that the outside source IP address has changed.
>
> EEM&  "clear ip nat trans *" is probably the cleanest method. You might want to get more specific and use "clear ip nat translation outside<address>" to kill only the NAT translations tied to the failed IP address.
>
> Ivan Pepelnjak
> blog.ioshints.info / www.ioshints.info
>
>> -----Original Message-----
>> From: Joe Maimon [mailto:jmaimon at ttec.com]
>> Sent: Sunday, January 24, 2010 5:06 PM
>> To: cisco-nsp
>> Subject: [c-nsp] CPE with tracking redundancy and long lived (UDP) nat
>> sessions
>>
>> Hey All,
>>
>> So as is commonly talked about, I have seen a number of end user sites
>> with simple redundancy service using IOS routers.
>>
>> Multiple lines, coulds be the same provider, could be different
>> providers, no dynamic routing, different source addresses, uRPF/SAV at
>> the provider(s) is to be presumed. CBAC IOS firewall is also in place.
>>
>> All this with event object tracking with policy routing and nat based on
>> egress works just fine EXCEPT.
>>
>> Long lived NAT sessions, especially the UDP ones dont seem to become
>> inactive when the egress changes.
>>
>> So the VOIP handsets are out of service after either a failover or
>> failback. Obviously this is the visible problem symptom.
>>
>> I have seen this for ICMP as well for continuous pings.
>>
>> I have in place the workaround of using EEM with clear ip nat trans *
>>
>> Is there some better way to approach it, other than using dynamic
>> routing and routable addresses to eliminate NAT?
>>
>> c1700-adventerprisek9-mz.124-25b.bin
>>
>> Thanks in advance. Any and all feedback is most welcome.
>>
>> Best,
>>
>> Joe
>
>
>
>