NAT Timeout for Failover w/ Dual ISPs

Answered Question
Feb 4th, 2014
User Badges:

I have failover configured, tested, and verified using IP SLA, policy-based routing, and NAT failover as outlined in this guide:


http://docwiki.cisco.com/wiki/NAT_failover_with_DUAL_ISP_on_a_router_Configuration_Example


The problem is it takes about 60 seconds for active nat translations to timeout.  Is there a recommended way to shorten this length of time other than changing the NAT timeout value globally?


Platform: 2921

IOS: 15.2(4) M4


Topology:


              ------------- ISP1 -------------

             |                                |

             | Int Gi0/1                      |

LAN -- WAN router                          Internet

             | Int Gi0/2                      |

             |                                |

              ------------- ISP2 -------------


Config:


ip sla 1

  icmp-echo 1.1.1.1 source-ip 1.1.1.2

  threshold 250

  timeout 900

  frequency 3

ip sla schedule 1 life forever start-time now

!

ip sla 2

  icmp-echo 2.2.2.1 source-ip 2.2.2.2

  threshold 250

  timeout 900

  frequency 3

ip sla schedule 2 life forever start-time now

!

track 1 ip sla 1 reachability

!

track 2 ip sla 2 reachability

!

ip access-list extended Default-Traffic-PBR

  deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

  permit ip 192.168.0.0 0.0.255.255 any

!

ip access-list extended Media-Lab-PBR

  deny   ip 192.168.19.0 0.0.0.255 192.168.0.0 0.0.255.255

  permit ip 192.168.19.0 0.0.0.255 any

!

route-map Default-Traffic-PBR permit 10

  match ip address Default-Traffic-PBR

  set ip next-hop 2.2.2.1 10 track 2

  set ip next-hop 1.1.1.1 20 track 1

!

route-map Media-Lab-PBR permit 10

  match ip address Media-Lab-PBR

  set ip next-hop 1.1.1.1 10 track 1

  set ip next-hop 2.2.2.1 20 track 2

!

ip local policy route-map Default-Traffic-PBR

!

interface GigabitEthernet0/0.16

  ip policy route-map Default-Traffic-PBR

!

interface GigabitEthernet0/0.19

  ip policy route-map Media-Lab-PBR

!

! NAT CONFIGURATION

!

ip access-list extended NAT_ACL

  deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

  permit ip 192.168.0.0 0.0.255.255 any

!

route-map ISP1_NAT permit 10

  match ip address NAT_ACL

  match interface GigabitEthernet0/1

!

route-map ISP2_NAT permit 10

  match ip address NAT_ACL

  match interface GigabitEthernet0/2

!

ip nat inside source route-map ISP1_NAT interface GigabitEthernet0/1 overload

!

ip nat inside source route-map ISP2_NAT interface GigabitEthernet0/2 overload

!

end

Correct Answer by Vishesh Verma about 3 years 6 months ago

Hi,


You can use following EEM script to help in your case.


!

event manager applet NAT-TRACK

event syslog pattern "TRACKING-5-STATE"

action 0.1 cli command "enable"

action 0.2 wait 3

action 0.3 cli command "clear ip nat translations *"

action 0.4 syslog msg "NAT translation cleared after track state change"

!


Hope it helps...!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Vishesh Verma Tue, 02/04/2014 - 18:15
User Badges:
  • Bronze, 100 points or more

Hi,


You can use following EEM script to help in your case.


!

event manager applet NAT-TRACK

event syslog pattern "TRACKING-5-STATE"

action 0.1 cli command "enable"

action 0.2 wait 3

action 0.3 cli command "clear ip nat translations *"

action 0.4 syslog msg "NAT translation cleared after track state change"

!


Hope it helps...!!!

ualbdp2c1 Tue, 02/04/2014 - 20:40
User Badges:

Vishesh,


Many thanks for the reply.  I think this will work for us.  Just one follow-up question...  I'm assuming it's not advised to delete the translations for the connection that is still active.  For example, that translation table has entries for both ISP 1 and ISP 2.  ISP 1 goes down, so only delete translations where ISP 1 is the inside global address.


Do you agree?


Thanks again,


Brad

Vishesh Verma Wed, 02/05/2014 - 04:53
User Badges:
  • Bronze, 100 points or more

Brad,


Yes, you can use clear ip nat inside  in the eem to suit your requirement.


-Vishesh

Actions

This Discussion