Search this Blog

Sunday, February 9, 2014

Is there a recommended way to shorten this length of time other than changing the NAT timeout value globally?


There is a fail over configured, tested, and verified using IP SLA, policy-based routing, and NAT fail over as outlined in the guide here.

The problem is it takes about 60 seconds for active nat translations to timeout.  Is there a recommended way to shorten this length of time other than changing the NAT timeout value globally?

Platform: 2921
IOS: 15.2(4) M4

Topology:

              ------------- ISP1 -------------
             |                                |
             | Int Gi0/1                      |
LAN -- WAN router                          Internet
             | Int Gi0/2                      |
             |                                |
              ------------- ISP2 -------------

Config:

ip sla 1
  icmp-echo 1.1.1.1 source-ip 1.1.1.2
  threshold 250
  timeout 900
  frequency 3
ip sla schedule 1 life forever start-time now
!
ip sla 2
  icmp-echo 2.2.2.1 source-ip 2.2.2.2
  threshold 250
  timeout 900
  frequency 3
ip sla schedule 2 life forever start-time now
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
ip access-list extended Default-Traffic-PBR
  deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  permit ip 192.168.0.0 0.0.255.255 any
!
ip access-list extended Media-Lab-PBR
  deny   ip 192.168.19.0 0.0.0.255 192.168.0.0 0.0.255.255
  permit ip 192.168.19.0 0.0.0.255 any
!
route-map Default-Traffic-PBR permit 10
  match ip address Default-Traffic-PBR
  set ip next-hop 2.2.2.1 10 track 2
  set ip next-hop 1.1.1.1 20 track 1
!
route-map Media-Lab-PBR permit 10
  match ip address Media-Lab-PBR
  set ip next-hop 1.1.1.1 10 track 1
  set ip next-hop 2.2.2.1 20 track 2
!
ip local policy route-map Default-Traffic-PBR
!
interface GigabitEthernet0/0.16
  ip policy route-map Default-Traffic-PBR
!
interface GigabitEthernet0/0.19
  ip policy route-map Media-Lab-PBR
!
! NAT CONFIGURATION
!
ip access-list extended NAT_ACL
  deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  permit ip 192.168.0.0 0.0.255.255 any
!
route-map ISP1_NAT permit 10
  match ip address NAT_ACL
  match interface GigabitEthernet0/1
!
route-map ISP2_NAT permit 10
  match ip address NAT_ACL
  match interface GigabitEthernet0/2
!
ip nat inside source route-map ISP1_NAT interface GigabitEthernet0/1 overload
!
ip nat inside source route-map ISP2_NAT interface GigabitEthernet0/2 overload
!
end

Try use the following EEM script to help in your case.

!
event manager applet NAT-TRACK
event syslog pattern "TRACKING-5-STATE"
action 0.1 cli command "enable"
action 0.2 wait 3
action 0.3 cli command "clear ip nat translations *"
action 0.4 syslog msg "NAT translation cleared after track state change"
!

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */