Solved: Redundant ISPs with VRFs and NAT failover

2044418Puts · ‎02-16-2013

Hi,

I'm testing a setup where one customer has two ISPs. Every ISP and the customer have their own VRFs. ISP failover works fine with the configured weights, so traffic routing is OK. When I check the routing table of the CUSTOMER VRF the default route points towards the ISP VRF and when ISP vrf fails (here simulated by shuting down FastE1/0) the default route changes towards the ISP_B VRF. So that piece works fine.

But the problem here is the NAT rules. I'm using the NVI interface with the "ip nat enable" command, because it SHOULD make natting decisions AFTER routing decisions, but unfortunately this goes wrong somewhere. As soon as the default route of ISP_B enters the CUSTOMER VRF (so failover takes place), natting fails. When I take a look at the "show ip nat nvi translations vrf CUSTOMER verbose" I see the "left" timer reset to 00:00:60 each time a ping is sent from the PC in the CUSTOMER VRF. So it refuses to translate to the ISP_B vrf eventhough the default route is pointing the the ISP_B vrf after failover.

R4#show ip nat nvi translations vrf CUSTOMER verbose

Pro Source global Source local Destin local Destin global

icmp 10.128.91.1:512 192.168.10.10:512 8.8.8.8:512 8.8.8.8:512

create 00:01:51, use 00:00:00 timeout:60000, left 00:00:59,

flags:

extended, nvi-entry, use_count: 0, src_VRF: CUSTOMER, dst_VRF: ISP, entry-id: 23, lc_entries: 0

Could anyone please check this out with me? Thanks!

Here is my config:

Building configuration...

Current configuration : 3107 bytes
!
! Last configuration change at 22:06:56 UTC Sat Feb 16 2013
upgrade fpd auto
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip source-route
ip cef
!
!
!
ip vrf ISP
rd 1:1
route-target export 1:1
route-target import 1:1
!
ip vrf ISP_B
rd 1:2
route-target export 1:2
route-target import 1:2
!
ip vrf CUSTOMER
rd 1:10
import map CUSTOMERVRF_IMPORT_RM
route-target export 1:10
route-target import 1:10
route-target import 1:1
route-target import 1:2
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface Loopback1
ip vrf forwarding CUSTOMER

ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
no ip address
duplex half
!
interface FastEthernet1/0
description PRIMARY ISP
ip vrf forwarding ISP
ip address 10.128.91.1 255.255.255.0
ip nat enable
duplex auto
speed auto
!
interface FastEthernet1/1
description SECONDARY ISP
ip vrf forwarding ISP_B
ip address 10.128.92.1 255.255.255.0
ip nat enable
duplex auto
speed auto
!
interface FastEthernet2/0
ip vrf forwarding CUSTOMER

ip address 192.168.10.254 255.255.255.0
ip nat enable
duplex auto
speed auto
!
interface FastEthernet2/1
no ip address
shutdown
duplex auto
speed auto
!
router bgp 65000
bgp router-id 2.2.2.2
bgp log-neighbor-changes
!
address-family ipv4 vrf ISP
redistribute static
default-information originate
exit-address-family
!
address-family ipv4 vrf ISP_B
redistribute static
default-information originate
exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip extcommunity-list standard ISP_B_CL permit rt 1:2
ip extcommunity-list standard ISP_CL permit rt 1:1
!
ip nat source route-map NAT_B_RM interface FastEthernet1/1 vrf CUSTOMER overload
ip nat source route-map NAT_RM interface FastEthernet1/0 vrf CUSTOMER overload
ip route vrf ISP 0.0.0.0 0.0.0.0 10.128.91.254
ip route vrf ISP_B 0.0.0.0 0.0.0.0 10.128.92.254
!
ip access-list standard NAT_ACL
permit 10.0.0.0 0.255.255.255
permit 172.16.0.0 0.15.255.255
permit 192.168.0.0 0.0.255.255
!
ip access-list extended NAT_B_ACL
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
!
!
!
!
!
route-map NAT_B_RM permit 10
match ip address NAT_ACL

!
route-map NAT_RM permit 10
match ip address NAT_ACL

!
route-map CUSTOMERVRF_IMPORT_RM permit 10
match extcommunity ISP_CL
set weight 100
!
route-map CUSTOMERVRF_IMPORT_RM permit 20
match extcommunity ISP_B_CL
set weight 50
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
transport input all
!
end

Abzal · ‎02-17-2013

Hi,

Try to change you NAT route-maps with extended matching criteria:

route-map NAT_B_RM permit 10
match ip address NAT_ACL
match interface f1/1
!
route-map NAT_RM permit 10
match ip add NAT_ACL
match interface f1/0

Sent from Cisco Technical Support Android App

Best regards,
Abzal

View solution in original post

Reza Sharifi · ‎02-16-2013

Hi,

Looking at your ACL config below, you are first denying all the ip subnets and then permiting them. Can you switch them around and put the permit first and then deny. Or for test purpose, can you just delete the the deny statment and test again?

ip access-list extended NAT_B_ACL

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip 10.0.0.0 0.255.255.255 any

permit ip 172.16.0.0 0.15.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

HTH

Shirshendu Nandi · ‎02-16-2013

I agree with Reza.The ACL reallignment should solve the issue

2044418Puts · ‎02-17-2013

Thanks for your reply. This ACL is not in use at the moment. If you take a look at the route-map statements, both route-maps use the NAT ACL. Sorry for not taking it out, must have overlooked that one myself

By the way, I only use the NAT_B_ACL when doing inside and outside natting. This ACL is a general ACL which answers the question of "What traffic would I normally NAT?". Traffic with a private destination address should never be translated, traffic with a private source address should always be translated, but only if its destination address is not a private address.

Thanks!

Abzal · ‎02-17-2013

Hi,

Try to change you NAT route-maps with extended matching criteria:

route-map NAT_B_RM permit 10
match ip address NAT_ACL
match interface f1/1
!
route-map NAT_RM permit 10
match ip add NAT_ACL
match interface f1/0

Sent from Cisco Technical Support Android App

Best regards,
Abzal

2044418Puts · ‎02-17-2013

You just typed this here while I was typing my comment below!

Thanks anyways!

2044418Puts · ‎02-17-2013

I figured it out...

route-map NAT_B_RM permit 10

match ip address NAT_ACL

match interface FastEthernet1/1

!

route-map NAT_RM permit 10

match ip address NAT_ACL

match interface FastEthernet1/0

The match interface commands where missing. And there is another error... As you can see in my example I was testing this with ICMP (see the first translation), but my guess here is that because ICMP is not session based so as long as the ICMP translation is there it will fail. And it keeps failing because everytime a ping is send from the client the "left"-timer resets to 60 seconds, so when running a continues ping this timer keeps resetting and this entry will never time out. As soon as I clear the translations manually, the pings also start working. Odd.. or maybe working as designed. Any idea's?

UDP and TCP fails over just fine, not stateful ofcourse, but new sessions are build using the backup interface.