[c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions
Joe Maimon
jmaimon at ttec.com
Sun Jan 24 15:43:16 EST 2010
Ivan Pepelnjak wrote:
> Obviously the router does NOT check the "ip nat" rules if it gets a match in the NAT translation table. This behavior makes sense; if you'd change the NAT parameters of a live session, you'd lose the session anyway.
The problem is that the session stays active. I want the session to be
lost. I believe the rules should be adhered to a bit more strictly.
If the current matching nat statement would result in a different value
for the inside global address, than a new translation should be called for.
It isnt actually all that hard to check for, conceptually.
(What would you expect to happen when the DHCP client address changes on
the egress interface? Or if you change the ip address on an interface
referenced by the ip nat statement?)
Apparently, the end stations dont change the source port for new
attempts. So as far as the router is concerned, unless those voip
handsets are off the network beyond udp session timeout, they will never
reconnect through the new egress.
This behavior has very disruptive end user symptoms.
>
> Ivan Pepelnjak
> blog.ioshints.info / www.ioshints.info
>
More information about the cisco-nsp
mailing list