8.4. Synchronization¶
Session synchronization is used to ensure that all vCGNAT instances in the cluster have complete information about all open ports and sessions. In this case, if one vCGNAT instance fails, user sessions are not dropped when traffic moves to another instance. Failure of one or more (depending on the selected network architecture) vCGNAT instances will pass unnoticed by the client. Data exchange is performed over the UDP protocol.
Сonfiguration¶
All the settings described below are performed in the configuration mode. Session synchronization should be configured at least on two vCGNATs; otherwise, the messages sent by the first vCGNAT will be dropped by the second one.
- nat sync destination-ip A.B.C.D port (1-65535) [{vrf NAME|source-ip A.B.C.D}]¶
Set the destination IP address and port to which data will be sent via UDP protocol. Additionally, VRF and the source IP address can be specified. To send Synchronization messages to multiple devices at once, use a dedicated L2 segment and a broadcast network address as the destination IP address.
- no nat sync¶
Disable created synchronization
- <nat|nat64> sync timeout-delay (1-604800000)¶
Set a delay interval (in milliseconds) that is added to the timers when sessions are created via sync messages. The lifetime of the sessions will be
timeout-delayms longer than on the server where they are created. The delay is needed so that the primary server has time to send us a message with updates on a given session before we delete it because of recreating a session has much overhead. The default is 1000 ms.
- no <nat|nat64> sync timeout-delay (1-604800000) [vrf NAME]¶
Reset timeout delay to the default value.
- nat sync start-delay (1-3600)¶
Set start delay in seconds. This delay is necessary for the Active-Active redundancy scenario. It is used at system startup and is needed to add a new instance to the cluster transparently. NAT instance will not respond to ARP request during this delay, respectively traffic will not be redistributed to it. At the same time, other devices will send synchronization messages and this new instance will fill its session table. When delay ends, the new instance, with already full table of sessions, will pick up some traffic without losing users’ connections.
Important
In this case, synchronization must be configured to the broadcast address of the network, because ARP during this delay will not respond.
- no nat sync start-delay¶
Disable start delay
If you do not want to wait for the start delay, use this command (in View mode) to start traffic processing immediately:
- nat sync start¶
Show commands¶
- show <nat|nat64> counters [vrf NAME] sync¶
Display NAT or NAT64 counters for synchronization. See Show and Clear Commands for their description except for these counters:
Counter
Description
No IP Suggested DropsFailed to find an external IP in the pool, which is specified in the synchronization message
Out of Synchronization DropsMapping with other external IP:Port has already been created for client IP:Port. A small synchronization drop occurred, so ignore the message about synchronization
Deletion of Non-Existent SessionReceived a message about deleting a session that doesn’t exist
Outdate MessagesSession TTL may be legitimately lowered by the sync message: - when a packet triggers TCP state change - when ALG removes data sessions - when the session is manually cleared In these cases we set the
forceflag to 1 in the sync message. Ifforceis 0, the message is considered outdated and discardedNo NAT Subscriber Group DropsNo subscriber group configured for the client that is specified in the synchronization message
nfware# show nat counters sync ------------------------------------------------------------ Counter Value ------------------------------------------------------------ Subscriber Creations 0 Address Map Creations 0 Port Map Creations 0 Session Creations 0 Hairpinning Sessions 0 Address Map Entry Limit Drops 0 Address Map Failure Drops 0 No IP Suggested Drops 0 Out of Synchronization Drops 0 Deletion of Non-Existent Session 0 Outdate Messages 0 No NAT Rule Drops 0 No NAT Rule Group Drops 0 No Pool Drops 0 Port Map Failure Drops 0 Port Map Entry Limit Drops 0 Subscriber Port Map Limit Drops 0 Subscriber Port Block Limit Drops 0 No Free Port Drops 0 No Free Block Drops 0 Session Entry Limit Drops 0 Subscriber Limit Drops 0 Subscriber Session Limit Drops 0 Subscriber Session Rate Limit Drops 0 ------------------------------------------------------------
- clear <nat|nat64> counters [vrf NAME] sync¶
Clear NAT or NAT64 counters for synchronization.
- show nat sync¶
Display counters for synchronization.
nfware# show nat sync nat sync destination-ip 172.23.40.50 port 10 source-ip 172.23.40.49 Counters: Sent: Packets: 7 Messages: 7 No packet drops: 0 No VRF drops: 0 Received: Packets: 0 Messages: 0 Invalid packet length: 0 Invalid msg length: 0 Errors on processing: 0 Unsupported msg type: 0 Invalid packet header: 0 Invalid message header: 0
Counter
Description
PacketsSent/Received IP packet that can contain multiple messages
MessagesSent/Received Message about each session change (timeout, state)
No packet dropsThe number of the sync messages that could not be sent because of failure to allocate a packet from the packet pool to write sync messages to it
No VRF dropsThe number of the sync messages that could not be sent because there is no such VRF
Invalid msg lengthThe synchronization message cannot be parsed because the message header has an invalid length
Errors on processingAn error occurred while processing the received synchronization message. Details can be found in
show nat counters syncUnsupported msg typeThe synchronization message cannot be parsed because the message header has an unsupported type
Invalid packet lengthThe size of the received packet is smaller than the total size of the messages it contains
Invalid msg lengthThe message header specifies a length that does not fit in the packet
Invalid ptk/message headersThe magic headers that are specified in the packet/message for header control have not passed the test
- clear nat sync¶
Clear counters for synchronization.