VRRP and dstnat

Sun Aug 11, 2013 8:15 pm
asa
I've successfully configured VRRP+OSPF with two RB2011UAS and everything works brilliant for connections from my network. But I have trouble with incoming connections when both routers are working.

My config:
Virtual GW IP:
RB1 IP(master VRRP):
RB2 IP(backup VRRP):
Server IP:

I've set dstnat rules to Server from WAN on both RB. If connection initiates through RB1 it will work but when it starts through RB2 I've got situation when RB2 sends SYN packet directly to Server (because is connected route for RB2) but Server sends SYN+ACK packet through RB1 (which owns as master VRRP) and connection terminates.

How can I configure routers to handle incoming connections correctly?

Re: VRRP and dstnat

Mon Sep 02, 2013 2:45 pm
odge
Did you come right with this?

We have a public VRRP and private VRRP, but our uplink is not sending packets to a different address block for routing. If MTA doesn't hold the Public VRRP address, shouldn't it be forwarding it to the other MTB, which can then handle the inside and outside NAT... but no luck on this. If primary MT receives the packet, it doesn't reach MTB via forwarding.

Re: VRRP and dstnat

Thu Oct 10, 2013 10:08 am
odge
You need to control which MT is going to receive the connection. So if you can use bgp. Then tell your isp which is the right MT. If you can can't control which MT gets the incoming connection, then dont use VRRP or You,ll have to masquerade to yourinternl network. (Sothatthe server thinksdisconnection is coming from the internal ip of the MT.