SYNERGYTECH
asked on
Does anyone know a way to force an ASA to clear xlate when a tracked route fails (and fails back)
Here is a brief description of my issue., as brief as i can make it anyways.
I have a few clients using a cloud based phone system, where the VOIP phones sit on the inside of the network connecting out to a phone system on the outside. At these specific locations, they are setup with multiple internet lines terminated on an ASA 5505 (version 8.2(5)), and are using tracked routes w/ sla monitor for line fail-over.
Here are the pertinent lines of the config:
My problem occurs during a failure scenario... when the primary line goes down, the route fails over and after a short period, 30-45 seconds or so the phones are back in order, dialing and receiving no issues, 2 way audio working etc.. so no problems here.
The issue happens when i fail back to the primary line. In this case, the route switches back to the primary line and the phones re-establish themselves, but now are stuck with only 1 way audio for both inbound and outbound calls.
After setting this up in a lab to play, I realize why. The ASA, after failing back to the primary line is still holding onto and xlate / connection over the backup interface for SIP (tcp 5060 to the phone)
I found out the VOIP vednor is hitting the phone every 45 seconds or so with a SIP, i guess you could say keep-alive and given when i fail back to my primary line the backup line never really goes "down", they continue to send their 45 second interval sip packet to the backup IP, the xlate never clears and and this connection never clears, thus causing my 1 way audio issue.
A reboot of the phone, or a clear xlate on the firewall does the trick, the phone re-establishes itself over the primary line, the stale connection get's dropped and all is good.
My question here: Does anyone know of a way to force a clear xlate on the ASA, when the tracked route changes. I have tossed around the idea of using SNMP traps to a syslog server to watch for the event, and in turn send an SNMP write back to the ASA with the "clear xlate" command, but am looking to find a way to not rely on anything outside the ASA to handle the routing for this.
Any ideas or thought appreciated!
thanks!
Tim
I have a few clients using a cloud based phone system, where the VOIP phones sit on the inside of the network connecting out to a phone system on the outside. At these specific locations, they are setup with multiple internet lines terminated on an ASA 5505 (version 8.2(5)), and are using tracked routes w/ sla monitor for line fail-over.
Here are the pertinent lines of the config:
interface Vlan1
nameif inside
security-level 100
ip address 10.20.30.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.225 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 205.160.6.91 255.255.255.0
access-list acl_out extended permit icmp any any
access-list acl_backup extended permit icmp any any
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
access-group acl_backup in interface backup
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1 track 1
route backup 0.0.0.0 0.0.0.0 205.160.6.1 254
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachabilityMy problem occurs during a failure scenario... when the primary line goes down, the route fails over and after a short period, 30-45 seconds or so the phones are back in order, dialing and receiving no issues, 2 way audio working etc.. so no problems here.
The issue happens when i fail back to the primary line. In this case, the route switches back to the primary line and the phones re-establish themselves, but now are stuck with only 1 way audio for both inbound and outbound calls.
After setting this up in a lab to play, I realize why. The ASA, after failing back to the primary line is still holding onto and xlate / connection over the backup interface for SIP (tcp 5060 to the phone)
ciscoasa# show conn | include 10.20.30.10
TCP backup 63.209.193.9:5060 inside 10.20.30.10:51358, idle 0:00:41, bytes 50525, flags UIOI found out the VOIP vednor is hitting the phone every 45 seconds or so with a SIP, i guess you could say keep-alive and given when i fail back to my primary line the backup line never really goes "down", they continue to send their 45 second interval sip packet to the backup IP, the xlate never clears and and this connection never clears, thus causing my 1 way audio issue.
A reboot of the phone, or a clear xlate on the firewall does the trick, the phone re-establishes itself over the primary line, the stale connection get's dropped and all is good.
My question here: Does anyone know of a way to force a clear xlate on the ASA, when the tracked route changes. I have tossed around the idea of using SNMP traps to a syslog server to watch for the event, and in turn send an SNMP write back to the ASA with the "clear xlate" command, but am looking to find a way to not rely on anything outside the ASA to handle the routing for this.
Any ideas or thought appreciated!
thanks!
Tim
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Pete Long
<Subscribed> Interested in your findings, not used EEM yet.
Yes
Scripting with EEM will do the trick.
Scripting with EEM will do the trick.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found the solution myself and posted the results here. Hope it helps someone else out.