ip sla for application failover

Unanswered Question
Apr 16th, 2008
User Badges:

I am trying to implement ip sla to monitor a CSS VIP in Site A. If that VIP goes down I would like the traffic to go to another route. I also tag that traffic with precedence. During the failure the tagged traffic should have the destination IP NAT'd to a private IP for our Disaster Recovery CSS setup. The main issue I have is that the icmpEcho are getting NAT'd even though I built a route map and NAT command that should only NAT tagged traffic. I do not see hits on my route map, but when I debug nat I see the icmpEcho getting NAT'd. This issue causes a ping to come in correctly for IP SLA and then the traffic starts to flap. I tried to block icmpecho from the failover router, but then my weighed route never leaves the initial router and hence never returns the traffic back to the production site when it comes back up. Please let me know if you have seen the icmpecho get NAT'd and how you got around that issue.

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mheusing Wed, 04/16/2008 - 22:31
User Badges:
  • Cisco Employee,


May we have a look at your configuration of the IP SLA and especially the NAT features?

Please also provide info about your hardware and your IOS version.

Thank you in advance.

Regards, Martin

sasaunde1 Thu, 04/17/2008 - 08:20
User Badges:

I have added 2 attachments, my customer facing vpn router (it has ip sla and tagging on it). The second one is internal vpn router and it does the natting. I added the debug nat on it to show the icmpEcho getting natted.

I am pinging host at a local site via 1 route getting tracked by 198. When the sla fails the traffic goes to the internal router via the weighed 250 route. That router looks for tagged traffic and nat's it to the private IP address.

When we 1st turn up our lab the ip sla stays in timeout, but as soon as we perform the failure the icmpEchos continue to get natted and flap the sla routes. We have attempted to deny icmpEcho in a route map to deny that traffic from being natted, but it still does. We can see it from the debug nat.

Any info would be greatly appreciated.



This Discussion