9.9. Timeouts¶
To ensure the correct operation, NAT monitors subscribers’ sessions.
For the TCP and UDP protocols, the session is defined by these five fields in the packet:
Source IP Address,
Destination IP Address,
Protocol,
Source port,
Destination port.
For the ICMP protocol, the session is defined by these four fields:
Source IP address,
Destination IP address,
Protocol,
Query ID.
For GRE and ESP protocols, the session is defined by these three fields:
Source IP address,
Destination IP address,
Protocol.
When the NAT receives a packet, it checks whether it has an existing record in the session table in accordance with the fields specified above. If the session exist, NAT updates its state. If there is no record for the session yet, NAT creates it. To prevent the session table from overflowing, NAT monitors session activity. If no packets had passed through the session for a certain time, the session is considered outdated and is deleted from the table.
This section describes how timeouts work and how to configure them for various protocols.
TCP¶
NAT monitors the state of TCP sessions in accordance with RFC 5382#section-5 and RFC 7857#section-2 using the following finite-state machine:
![digraph {
bgcolor="transparent";
node [shape=box, color="#000000", fontcolor="#000000"];
edge [color="#000000", fontcolor="#000000"];
CLOSED;
INIT_OUTBOUND;
INIT_INBOUND;
TRANSITORY;
ESTABLISHED;
FIN_OUTBOUND;
FIN_INBOUND;
CLOSING;
CLOSED -> INIT_OUTBOUND [label = "Client SYN"];
CLOSED -> INIT_INBOUND [label = "Server SYN"];
INIT_OUTBOUND -> ESTABLISHED [label = "Server SYN"];
INIT_OUTBOUND -> CLOSED [label = <<i>Opening TO</i>>; style = "dotted"];
INIT_INBOUND -> CLOSED [label = <<i>Opening TO</i>>; style = "dotted"];
INIT_INBOUND -> ESTABLISHED [label = "Client SYN"];
ESTABLISHED -> TRANSITORY [label = <<i>Client/Server RST<br /> or<br /> Established TO</i>>; style = "dotted"];
TRANSITORY -> ESTABLISHED [label = "Data Packet"];
TRANSITORY -> CLOSED [label = <<i>Transitory TO</i>>; style = "dotted"];
ESTABLISHED -> FIN_OUTBOUND [label = "Client FIN"];
ESTABLISHED -> FIN_INBOUND [label = "Server FIN"];
FIN_OUTBOUND -> CLOSING [label = "Server FIN"];
FIN_OUTBOUND -> CLOSING [label = <<i>FIN-WAIT<br /> TO</i>>; style = "dotted"];
FIN_INBOUND -> CLOSING [label = "Client FIN"];
FIN_INBOUND -> CLOSING [label = <<i>FIN-WAIT<br /> TO</i>>; style = "dotted"];
CLOSING -> CLOSED [label = <<i>Transitory TO</i>>; style = "dotted"];
subgraph {
rank="same";
INIT_OUTBOUND;
INIT_INBOUND
TRANSITORY;
}
}](../_images/graphviz-6f4b902de834da6d9e475572591d242a3210f134.png)
![digraph {
bgcolor="transparent";
node [shape=box, color="white", fontcolor="white"];
edge [color="white", fontcolor="white"];
CLOSED;
INIT_OUTBOUND;
INIT_INBOUND;
TRANSITORY;
ESTABLISHED;
FIN_OUTBOUND;
FIN_INBOUND;
CLOSING;
CLOSED -> INIT_OUTBOUND [label = "Client SYN"];
CLOSED -> INIT_INBOUND [label = "Server SYN"];
INIT_OUTBOUND -> ESTABLISHED [label = "Server SYN"];
INIT_OUTBOUND -> CLOSED [label = <<i>Opening TO</i>>; style = "dotted"];
INIT_INBOUND -> CLOSED [label = <<i>Opening TO</i>>; style = "dotted"];
INIT_INBOUND -> ESTABLISHED [label = "Client SYN"];
ESTABLISHED -> TRANSITORY [label = <<i>Client/Server RST<br /> or<br /> Established TO</i>>; style = "dotted"];
TRANSITORY -> ESTABLISHED [label = "Data Packet"];
TRANSITORY -> CLOSED [label = <<i>Transitory TO</i>>; style = "dotted"];
ESTABLISHED -> FIN_OUTBOUND [label = "Client FIN"];
ESTABLISHED -> FIN_INBOUND [label = "Server FIN"];
FIN_OUTBOUND -> CLOSING [label = "Server FIN"];
FIN_OUTBOUND -> CLOSING [label = <<i>FIN-WAIT<br /> TO</i>>; style = "dotted"];
FIN_INBOUND -> CLOSING [label = "Client FIN"];
FIN_INBOUND -> CLOSING [label = <<i>FIN-WAIT<br /> TO</i>>; style = "dotted"];
CLOSING -> CLOSED [label = <<i>Transitory TO</i>>; style = "dotted"];
subgraph {
rank="same";
INIT_OUTBOUND;
INIT_INBOUND
TRANSITORY;
}
}](../_images/graphviz-92554acbf57a502d343654159a7b4d331423cf3c.png)
- CLOSED
A pseudo-state that reflects a non-existent session. After NAT receives a
SYNpacket from the subscriber or server, it creates a session and puts it in theINIT_OUTBOUNDorINIT_INBOUNDstate, respectively.- INIT_OUTBOUND and INIT_INBOUND
In this state, NAT expects to receive a response
SYNpacket from the server or subscriber, respectively. If it receives such a packet during theOpening Timeout, the session goes in theESTABLISHEDstate. If the packet has not been received, NAT closes the session.- ESTABLISHED
The main state of the TCP session. If NAT receives a
FINpacket from the subscriber or server, it puts the session in theFIN_OUTBOUNDorFIN_INBOUNDstate, respectively. If the NAT receives anRSTpacket from the subscriber or server, or does not receive any packets during theEstablished Timeout, it puts the session in theTRANSITORYstate.- TRANSITORY
If NAT receives any packet for the session in this state, it transfers the session back to the
ESTABLISHEDstate. If NAT does not receive any packets during theTransitory Timeout, it closes the session.- FIN_OUTBOUND and FIN_INBOUND
In this state, NAT expects to receive a response
FINpacket from the server or subscriber, respectively. If it receives such a packet or does not receive duringFIN-WAIT Timeout, it puts the session in theCLOSINGstate. If NAT does not receive any packets during theEstablished Timeout, it closes the session.- CLOSING
The session stays in this state until
Transitory Timeoutexpires, then it’s closed.
To configure TCP session timeouts, the following commands are available:
- <nat|nat64> timeout tcp opening (1-604800) [vrf NAME]¶
Set
Opening Timeoutin seconds. By default, it is 240 seconds (4 minutes).
- <nat|nat64> timeout tcp established (1-604800) [vrf NAME]¶
Set
Established Timeoutin seconds. By default, it is 7440 seconds (2 hours and 4 minutes).
- <nat|nat64> timeout tcp transitory (1-604800) [vrf NAME]¶
Set
Transitory Timeoutin seconds. By default, it is 240 seconds (4 minutes).
- <nat|nat64> timeout tcp fin-wait (1-604800) [vrf NAME]¶
Set
FIN-WAIT Timeoutin seconds. By default, it is 7440 seconds (2 hours and 4 minutes).
UDP¶
NAT monitors the state of UDP sessions in accordance with RFC 4787#section-4.3. If there are no packets through the created UDP session during the specified timeout, the session is closed.
- <nat|nat64> timeout udp (1-604800) [vrf NAME]¶
Set the timeout for UDP sessions in seconds. By default, it is 300 seconds (5 minutes).
ICMP¶
NAT monitors the state of ICMP sessions in accordance with RFC 5508#section-3.2. If there are no packets through the created ICMP session during the specified timeout, the session is closed.
- <nat|nat64> timeout icmp (1-604800) [vrf NAME]¶
Set the timeout for ICMP sessions in seconds. By default, it is 60 seconds (1 minute).
GRE¶
If there are no packets through the created GRE session during the specified timeout, the session is closed.
- <nat|nat64> timeout gre (1-604800) [vrf NAME]¶
Set the timeout for GRE sessions in seconds. By default, it is 1800 seconds (30 minutes).
ESP¶
If there are no packets through the created ESP session during the specified timeout, the session is closed.
- <nat|nat64> timeout esp (1-604800) [vrf NAME]¶
Set the timeout for ESP sessions in seconds. By default, it is 1800 seconds (30 minutes).
Timeout Update¶
By default, NAT updates session timeouts for packets in both directions - from subscribers to servers (outbound), and from servers to subscribers (inbound). For additional protection against external attacks, it is possible to disable the timeouts updates for the inbound packets.
- <nat|nat64> service inbound-refresh enable [vrf NAME]¶
Enable timeouts updates for the inbound packets. This is the default behavior. To disable it, use this command with the
noprefix.
Show Commands¶
- show <nat|nat64> timeout [vrf NAME]¶
Display the current timeout values for ESP, GRE, ICMP, UDP and TCP protocols.