Question on NAT/PAT timeouts

Discussion in 'Cisco' started by Richard Antony Burton, Dec 12, 2003.

  1. I want to use 'ip nat tran tcp-timeout xxx' to help keep the size of the NAT
    table
    down.

    1) Does this setting mean timeout each entry after last activity on it, or
    after it is created?
    2) I have a lot of entries sticking around for the full default 24 hours,
    does this mean the application creating them isn't closing the socket
    correctly?
    3) Any suggestions as to the best value to use?
    4) What happens if an entry is removed that is in use? Will it re-establish
    with no real impact, or will it cause a problem?

    Richard.
     
    Richard Antony Burton, Dec 12, 2003
    #1
    1. Advertising

  2. "Richard Antony Burton" <> wrote in
    message news:LOhCb.2868346$...
    > I want to use 'ip nat tran tcp-timeout xxx' to help keep the size of the

    NAT
    > table down.
    >
    > 1) Does this setting mean timeout each entry after last activity on it, or
    > after it is created?


    It is an inactivity timeout ie. from the last active packet.

    > 2) I have a lot of entries sticking around for the full default 24 hours,
    > does this mean the application creating them isn't closing the socket
    > correctly?
    > 3) Any suggestions as to the best value to use?


    The default value (24 hours) is pretty long. It means a lot of entries
    because if entry is teared down by some method router is aware
    of it remains there for the 24-hour period.

    Lots of entries do not load the router much though. However, in
    some software versions they can cause the nat engine crash in
    ios. Using more conservative values can save you from this.

    Typical values depend on how long an inactivity is normal. The
    normal period should be allowed and not too much longer is
    needed anyway statistically.

    Typical generally good values are probably something like this:
    - 1 hour for tcp, faster for udp (especially if there are a lot of them)
    1 hour is the default in many other products like some other firewall
    products etc.
    - syn-timeout perhaps 20-30s because PCs do a quick retry from
    another sourve port if they get no quick response. The old try
    is never used anyway by the pc if a late entry gets there.
    - fast enough for icmp (hay, who really cares for a ping packet
    that gets back after say 10s?)

    Your typical situation might vary. Some pieces of software can be
    idle for hours and need still the same connection. Adjust as needed.

    > 4) What happens if an entry is removed that is in use? Will it

    re-establish
    > with no real impact, or will it cause a problem?


    The connection is teared down as far as the router knows it. The tcp
    connection will have to be re-established by the client station. Router
    cannot re-establish it by noting "hay, this is alive after all". The same
    address from the pool (or port in case of pat) might be already in
    use by some other client for another stream.
    --
    Harri
     
    Harri Suomalainen, Dec 15, 2003
    #2
    1. Advertising

  3. "Harri Suomalainen" <> wrote in message
    news:U0iDb.152$...
    > "Richard Antony Burton" <> wrote in
    > message news:LOhCb.2868346$...


    Thanks for the info. I think I have what I need now, just got to experiment
    with times a little.

    Richard.
     
    Richard Antony Burton, Dec 16, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jacob Marble

    NAT/PAT question

    Jacob Marble, Jan 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    517
    Walter Roberson
    Jan 10, 2004
  2. Matt
    Replies:
    1
    Views:
    818
    Aaron Leonard
    Feb 17, 2004
  3. BinSur
    Replies:
    4
    Views:
    5,824
    BinSur
    Jan 13, 2006
  4. spec
    Replies:
    2
    Views:
    1,457
    Walter Roberson
    May 25, 2006
  5. Steven Carr
    Replies:
    7
    Views:
    763
Loading...

Share This Page