HSRP and NAT

Hi experts

May I have your opinion on the following matter?

 

Configuration

 

Two 2911 routers.

Doing HSRP on Wan and LAN side with 2 standby groups.

Doing static nat to internal servers.

Added redundacy keyword on the nat statements .

Tracking wan side interface in LAN side hsrp group and tracking

LAN side interface in WAN side hsrp group.

 

All is working well but I discovered the following convergence time

Issues when hsrp failover.

 

1. Hsrp active device has a tcp translation in the table.

 

2. Hsrp active does a failover (shut the interface).

 

3. The failover goes well but the ip nat session table on the new active is updated with the tcp sessions after about 30s after the failover took place.

Seen from debugs.

 

The new active device received  the nat session table  update  message from the old active after 30 sec or more.

 

 

My client wants the tcp session replication to take  place in less than 15s when a hsrp failover.

 

I will post debug messages in a short time when I get back to work.

 

 

 

Is there a way to make it work in less than 15s?

Also , what are the recommended ip nat translation timeout timers when doing hsrp and static nat .

 

 

Thank you for your help.

 

Regards,

Tsubasa

Comments

  • Sounds to me like you need to run statful NAT (SNAT) and play with the HSRP timers.  SNAT will replicate the translation tables.  Maybe someone can correct me if I am wrong, but I think the closest to sub-second convergence you can get is 15 msec hello and 50 msec hold in HSRP. 


    R1:

    interface FastEthernet1/0

     ip address 192.168.1.3 255.255.255.0

     ip nat inside

     ip virtual-reassembly

     duplex full

     speed 100

     standby 1 ip 192.168.1.1

     standby 1 timers msec 15 msec 50

     standby 1 preempt

     standby 1 name snat-1


    ip nat Stateful id 2

      redundancy snat-1

       mapping-id 1

       protocol   udp

    ip nat inside source list 1 interface FastEthernet0/0 overload

    !

    access-list 1 permit 192.168.1.0

     


    R2# show ip snat distributed 

     

    Stateful NAT Connected Peers

     

    SNAT: Mode IP-REDUNDANCY :: STANDBY

        : State READY

        : Local Address 192.168.1.3

        : Local NAT id 2

        : Peer Address 192.168.1.2

        : Peer NAT id 1

        : Mapping List 1 

    R2#



    interface FastEthernet1/0

     ip address 192.168.1.2 255.255.255.0

     ip nat inside

     ip virtual-reassembly

     duplex full

     speed 100

     standby 0 timers msec 15 msec 50

     standby 1 ip 192.168.1.1

     standby 1 priority 101

     standby 1 preempt

     standby 1 name snat-1




    ip nat Stateful id 1

      redundancy snat-1

       mapping-id 1

       protocol   udp

    ip nat inside source list 1 interface FastEthernet0/0 overload

    !

    access-list 1 permit 192.168.1.0 0.0.0.255




    R1#show ip snat distributed 


    Stateful NAT Connected Peers


    SNAT: Mode IP-REDUNDANCY :: ACTIVE

        : State READY

        : Local Address 192.168.1.2

        : Local NAT id 1

        : Peer Address 192.168.1.3

        : Peer NAT id 2

        : Mapping List 1 



    snat id has to be unique amounst peers.  The redundancy name must match the HSRP group name and the mapping-id has to be the same for both peers.  So if you wanted to add a second group number just make a diff name and diff mapping-id...


  • Unfortunately Stateful IOS NAT is deprecated.

     

    Accordingly to text of announce this feature was deprecated on ASA only.

  • I have found the issue.

    The problem was my testing procedure. I simulated the http connection using telnet to http port but I did not generate any traffic(requests). I repeated the tests using GET requests and the nat session table was replicated almost instant.

    I post the debug messages.

    The NAT replication trigger is the next segment, request in the tcp session.

    Debug messages

    Telnet from client

    <span style="font-family: Verdana, Arial, Helvetica, sans-serif;">telnet 10.31.73.12 3099 
    *Nov  7 03:52:17.071: TCBB2701B60 connected to 10.31.73.12.3099
    GET / HTTP/1.0
    GET / HTTP/1.0
    GET / HTTP/1.0
    </span>

    New active

    Becomes Active at 03:52:32,34

    <span style="font-family: Verdana, Arial, Helvetica, sans-serif;">NATGW2#
    *Nov  7 03:52:32.700: %HSRP-5-STATECHANGE: Ethernet0/2 Grp 100 state Standby -> Active
    NATGW2#
    *Nov  7 03:52:32.701:  IP-ADDR: ipaddr_table_insert_w_tableid() 10.31.71.254, in global table on Ethernet0/2
    NATGW2#
    *Nov  7 03:52:34.657: %HSRP-5-STATECHANGE: Ethernet0/1 Grp 200 state Standby -> Active
    </span>

    new Active listens for ARP requests for the HSRP IP

    <span style="font-family: Verdana, Arial, Helvetica, sans-serif;">*Nov  7 03:52:34.658:  IP-ADDR: ipaddr_table_insert_w_tableid() 192.168.153.253, in global table on Ethernet0/1
    </span>

    The nat session is recreated on the new Active.

    <span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span>*Nov  7 03:52:34.745: NAT: API parameters passed: src_addr:10.31.71.3, src_port:0 dest_addr:10.31.73.12, dest_port:0, proto:6 if_input:Ethernet0/2 pak:B072F0A8 get_translated:1
    *Nov  7 03:52:34.745: ipnat_api_translated_address_and_port_common, out->in want IL,OL
    *Nov  7 03:52:34.745: NAT: API Translated-Info(1): (src-addr:10.31.71.3, src-port:0) (dest-addr:192.168.153.12, dest-port:0)</span></span>
    
    <span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span><br /></span></span>
    <span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span><br /></span></span>
    <br />

Sign In or Register to comment.