Question on NAT/PAT timeouts

Discussion in 'Cisco' started by Richard Antony Burton, Dec 12, 2003.

  1. I want to use 'ip nat tran tcp-timeout xxx' to help keep the size of the NAT
    table
    down.

    1) Does this setting mean timeout each entry after last activity on it, or
    after it is created?
    2) I have a lot of entries sticking around for the full default 24 hours,
    does this mean the application creating them isn't closing the socket
    correctly?
    3) Any suggestions as to the best value to use?
    4) What happens if an entry is removed that is in use? Will it re-establish
    with no real impact, or will it cause a problem?

    Richard.
     
    Richard Antony Burton, Dec 12, 2003
    #1
    1. Advertisements

  2. It is an inactivity timeout ie. from the last active packet.
    The default value (24 hours) is pretty long. It means a lot of entries
    because if entry is teared down by some method router is aware
    of it remains there for the 24-hour period.

    Lots of entries do not load the router much though. However, in
    some software versions they can cause the nat engine crash in
    ios. Using more conservative values can save you from this.

    Typical values depend on how long an inactivity is normal. The
    normal period should be allowed and not too much longer is
    needed anyway statistically.

    Typical generally good values are probably something like this:
    - 1 hour for tcp, faster for udp (especially if there are a lot of them)
    1 hour is the default in many other products like some other firewall
    products etc.
    - syn-timeout perhaps 20-30s because PCs do a quick retry from
    another sourve port if they get no quick response. The old try
    is never used anyway by the pc if a late entry gets there.
    - fast enough for icmp (hay, who really cares for a ping packet
    that gets back after say 10s?)

    Your typical situation might vary. Some pieces of software can be
    idle for hours and need still the same connection. Adjust as needed.
    The connection is teared down as far as the router knows it. The tcp
    connection will have to be re-established by the client station. Router
    cannot re-establish it by noting "hay, this is alive after all". The same
    address from the pool (or port in case of pat) might be already in
    use by some other client for another stream.
     
    Harri Suomalainen, Dec 15, 2003
    #2
    1. Advertisements

  3. Thanks for the info. I think I have what I need now, just got to experiment
    with times a little.

    Richard.
     
    Richard Antony Burton, Dec 16, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.