8.4. Synchronization

Session synchronization is used to ensure that all vCGNAT instances in the cluster have complete information about all open ports and sessions. In this case, if one vCGNAT instance fails, user sessions are not dropped when traffic moves to another instance. Failure of one or more (depending on the selected network architecture) vCGNAT instances will pass unnoticed by the client. Data exchange is performed over the UDP protocol.

Сonfiguration

All the settings described below are performed in the configuration mode. Session synchronization should be configured at least on two vCGNATs; otherwise, the messages sent by the first vCGNAT will be dropped by the second one.

nat sync destination-ip A.B.C.D port (1-65535) [{vrf NAME|source-ip A.B.C.D}]

Set the destination IP address and port to which data will be sent via UDP protocol. Additionally, VRF and the source IP address can be specified. To send Synchronization messages to multiple devices at once, use a dedicated L2 segment and a broadcast network address as the destination IP address.

no nat sync

Disable created synchronization

<nat|nat64> sync timeout-delay (1-604800000)

Set a delay interval (in milliseconds) that is added to the timers when sessions are created via sync messages. The lifetime of the sessions will be timeout-delay ms longer than on the server where they are created. The delay is needed so that the primary server has time to send us a message with updates on a given session before we delete it because of recreating a session has much overhead. The default is 1000 ms.

no <nat|nat64> sync timeout-delay (1-604800000) [vrf NAME]

Reset timeout delay to the default value.

nat sync start-delay (1-3600)

Set start delay in seconds. This delay is necessary for the Active-Active redundancy scenario. It is used at system startup and is needed to add a new instance to the cluster transparently. NAT instance will not respond to ARP request during this delay, respectively traffic will not be redistributed to it. At the same time, other devices will send synchronization messages and this new instance will fill its session table. When delay ends, the new instance, with already full table of sessions, will pick up some traffic without losing users’ connections.

Important

In this case, synchronization must be configured to the broadcast address of the network, because ARP during this delay will not respond.

no nat sync start-delay

Disable start delay

If you do not want to wait for the start delay, use this command (in View mode) to start traffic processing immediately:

nat sync start

Show commands

show <nat|nat64> counters [vrf NAME] sync

Display NAT or NAT64 counters for synchronization. See Show and Clear Commands for their description except for these counters:

Counter

Description

No IP Suggested Drops

Failed to find an external IP in the pool, which is specified in the synchronization message

Out of Synchronization Drops

Mapping with other external IP:Port has already been created for client IP:Port. A small synchronization drop occurred, so ignore the message about synchronization

Deletion of Non-Existent Session

Received a message about deleting a session that doesn’t exist

Outdate Messages

Session TTL may be legitimately lowered by the sync message: - when a packet triggers TCP state change - when ALG removes data sessions - when the session is manually cleared In these cases we set the force flag to 1 in the sync message. If force is 0, the message is considered outdated and discarded

No NAT Subscriber Group Drops

No subscriber group configured for the client that is specified in the synchronization message

nfware# show nat counters sync
------------------------------------------------------------
Counter                                 Value
------------------------------------------------------------
Subscriber Creations                    0
Address Map Creations                   0
Port Map Creations                      0
Session Creations                       0
Hairpinning Sessions                    0
Address Map Entry Limit Drops           0
Address Map Failure Drops               0
No IP Suggested Drops                   0
Out of Synchronization Drops            0
Deletion of Non-Existent Session        0
Outdate Messages                        0
No NAT Rule Drops                       0
No NAT Rule Group Drops                 0
No Pool Drops                           0
Port Map Failure Drops                  0
 Port Map Entry Limit Drops             0
 Subscriber Port Map Limit Drops        0
 Subscriber Port Block Limit Drops      0
 No Free Port Drops                     0
 No Free Block Drops                    0
Session Entry Limit Drops               0
Subscriber Limit Drops                  0
Subscriber Session Limit Drops          0
Subscriber Session Rate Limit Drops     0
------------------------------------------------------------
clear <nat|nat64> counters [vrf NAME] sync

Clear NAT or NAT64 counters for synchronization.

show nat sync

Display counters for synchronization.

nfware# show nat sync
nat sync destination-ip 172.23.40.50 port 10 source-ip 172.23.40.49
Counters:
 Sent:
  Packets:  7
  Messages: 7
  No packet drops: 0
  No VRF drops: 0
  Received:
   Packets:  0
   Messages: 0
   Invalid packet length:  0
   Invalid msg length:     0
   Errors on processing:   0
   Unsupported msg type:   0
   Invalid packet header:  0
   Invalid message header: 0

Counter

Description

Packets

Sent/Received IP packet that can contain multiple messages

Messages

Sent/Received Message about each session change (timeout, state)

No packet drops

The number of the sync messages that could not be sent because of failure to allocate a packet from the packet pool to write sync messages to it

No VRF drops

The number of the sync messages that could not be sent because there is no such VRF

Invalid msg length

The synchronization message cannot be parsed because the message header has an invalid length

Errors on processing

An error occurred while processing the received synchronization message. Details can be found in show nat counters sync

Unsupported msg type

The synchronization message cannot be parsed because the message header has an unsupported type

Invalid packet length

The size of the received packet is smaller than the total size of the messages it contains

Invalid msg length

The message header specifies a length that does not fit in the packet

Invalid ptk/message headers

The magic headers that are specified in the packet/message for header control have not passed the test

clear nat sync

Clear counters for synchronization.