HSRP and NAT

Tsubasa

Hi experts

May I have your opinion on the following matter?

 

Configuration

 

Two 2911 routers.

Doing HSRP on Wan and LAN side with 2 standby groups.

Doing static nat to internal servers.

Added redundacy keyword on the nat statements .

Tracking wan side interface in LAN side hsrp group and tracking

LAN side interface in WAN side hsrp group.

 

All is working well but I discovered the following convergence time

Issues when hsrp failover.

 

1. Hsrp active device has a tcp translation in the table.

 

2. Hsrp active does a failover (shut the interface).

 

3. The failover goes well but the ip nat session table on the new active is updated with the tcp sessions after about 30s after the failover took place.

Seen from debugs.

 

The new active device received  the nat session table  update  message from the old active after 30 sec or more.

 

 

My client wants the tcp session replication to take  place in less than 15s when a hsrp failover.

 

I will post debug messages in a short time when I get back to work.

 

 

 

Is there a way to make it work in less than 15s?

Also , what are the recommended ip nat translation timeout timers when doing hsrp and static nat .

 

 

Thank you for your help.

 

Regards,

Tsubasa

jsprang

Sounds to me like you need to run statful NAT (SNAT) and play with the HSRP timers.  SNAT will replicate the translation tables.  Maybe someone can correct me if I am wrong, but I think the closest to sub-second convergence you can get is 15 msec hello and 50 msec hold in HSRP. 

R1:

interface FastEthernet1/0

 ip address 192.168.1.3 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 duplex full

 speed 100

 standby 1 ip 192.168.1.1

 standby 1 timers msec 15 msec 50

 standby 1 preempt

 standby 1 name snat-1

ip nat Stateful id 2

  redundancy snat-1

   mapping-id 1

   protocol   udp

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 192.168.1.0

 

R2# show ip snat distributed 

 

Stateful NAT Connected Peers

 

SNAT: Mode IP-REDUNDANCY :: STANDBY

    : State READY

    : Local Address 192.168.1.3

    : Local NAT id 2

    : Peer Address 192.168.1.2

    : Peer NAT id 1

    : Mapping List 1 

R2#

interface FastEthernet1/0

 ip address 192.168.1.2 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 duplex full

 speed 100

 standby 0 timers msec 15 msec 50

 standby 1 ip 192.168.1.1

 standby 1 priority 101

 standby 1 preempt

 standby 1 name snat-1

ip nat Stateful id 1

  redundancy snat-1

   mapping-id 1

   protocol   udp

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

R1#show ip snat distributed 

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: ACTIVE

    : State READY

    : Local Address 192.168.1.2

    : Local NAT id 1

    : Peer Address 192.168.1.3

    : Peer NAT id 2

    : Mapping List 1 

snat id has to be unique amounst peers.  The redundancy name must match the HSRP group name and the mapping-id has to be the same for both peers.  So if you wanted to add a second group number just make a diff name and diff mapping-id...

Tsubasa

Hi jsprang

Thanks for helping.

 

Unfortunately Stateful IOS NAT is deprecated.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/end_of_life_notice_c51-611706.html

 

Thanks

 

pchel

Unfortunately Stateful IOS NAT is deprecated.

 

Accordingly to text of announce this feature was deprecated on ASA only.

Tsubasa

I have found the issue.

The problem was my testing procedure. I simulated the http connection using telnet to http port but I did not generate any traffic(requests). I repeated the tests using GET requests and the nat session table was replicated almost instant.

I post the debug messages.

The NAT replication trigger is the next segment, request in the tcp session.

Debug messages

Telnet from client

<span style="font-family: Verdana, Arial, Helvetica, sans-serif;">telnet 10.31.73.12 3099 
*Nov  7 03:52:17.071: TCBB2701B60 connected to 10.31.73.12.3099
GET / HTTP/1.0
GET / HTTP/1.0
GET / HTTP/1.0
</span>

New active

Becomes Active at 03:52:32,34

<span style="font-family: Verdana, Arial, Helvetica, sans-serif;">NATGW2#
*Nov  7 03:52:32.700: %HSRP-5-STATECHANGE: Ethernet0/2 Grp 100 state Standby -> Active
NATGW2#
*Nov  7 03:52:32.701:  IP-ADDR: ipaddr_table_insert_w_tableid() 10.31.71.254, in global table on Ethernet0/2
NATGW2#
*Nov  7 03:52:34.657: %HSRP-5-STATECHANGE: Ethernet0/1 Grp 200 state Standby -> Active
</span>

new Active listens for ARP requests for the HSRP IP

<span style="font-family: Verdana, Arial, Helvetica, sans-serif;">*Nov  7 03:52:34.658:  IP-ADDR: ipaddr_table_insert_w_tableid() 192.168.153.253, in global table on Ethernet0/1
</span>

The nat session is recreated on the new Active.

<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span>*Nov  7 03:52:34.745: NAT: API parameters passed: src_addr:10.31.71.3, src_port:0 dest_addr:10.31.73.12, dest_port:0, proto:6 if_input:Ethernet0/2 pak:B072F0A8 get_translated:1
*Nov  7 03:52:34.745: ipnat_api_translated_address_and_port_common, out->in want IL,OL
*Nov  7 03:52:34.745: NAT: API Translated-Info(1): (src-addr:10.31.71.3, src-port:0) (dest-addr:192.168.153.12, dest-port:0)</span></span>

<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span><br /></span></span>

<span style="font-family: Verdana, Arial, Helvetica, sans-serif;"><span><br /></span></span>

<br />