9.9. Timeouts¶
To ensure the correct operation, NAT monitors subscribers’ sessions.
For the TCP and UDP protocols, the session is defined by these five fields in the packet:
Source IP Address,
Destination IP Address,
Protocol,
Source port,
Destination port.
For the ICMP protocol, the session is defined by these four fields:
Source IP address,
Destination IP address,
Protocol,
Query ID.
For GRE and ESP protocols, the session is defined by these three fields:
Source IP address,
Destination IP address,
Protocol.
When the NAT receives a packet, it checks whether it has an existing record in the session table in accordance with the fields specified above. If the session exist, NAT updates its state. If there is no record for the session yet, NAT creates it. To prevent the session table from overflowing, NAT monitors session activity. If no packets had passed through the session for a certain time, the session is considered outdated and is deleted from the table.
This section describes how timeouts work and how to configure them for various protocols.
TCP¶
NAT monitors the state of TCP sessions in accordance with RFC 5382 Section 5 and RFC 7857 Section 2 using the following finite-state machine:
- CLOSED
A pseudo-state that reflects a non-existent session. After NAT receives a
SYN
packet from the subscriber or server, it creates a session and puts it in theINIT_OUTBOUND
orINIT_INBOUND
state, respectively.- INIT_OUTBOUND and INIT_INBOUND
In this state, NAT expects to receive a response
SYN
packet from the server or subscriber, respectively. If it receives such a packet during theOpening Timeout
, the session goes in theESTABLISHED
state. If the packet has not been received, NAT closes the session.- ESTABLISHED
The main state of the TCP session. If NAT receives a
FIN
packet from the subscriber or server, it puts the session in theFIN_OUTBOUND
orFIN_INBOUND
state, respectively. If the NAT receives anRST
packet from the subscriber or server, or does not receive any packets during theEstablished Timeout
, it puts the session in theTRANSITORY
state.- TRANSITORY
If NAT receives any packet for the session in this state, it transfers the session back to the
ESTABLISHED
state. If NAT does not receive any packets during theTransitory Timeout
, it closes the session.- FIN_OUTBOUND and FIN_INBOUND
In this state, NAT expects to receive a response
FIN
packet from the server or subscriber, respectively. If it receives such a packet or does not receive duringFIN-WAIT Timeout
, it puts the session in theCLOSING
state. If NAT does not receive any packets during theEstablished Timeout
, it closes the session.- CLOSING
The session stays in this state until
Transitory Timeout
expires, then it’s closed.
To configure TCP session timeouts, the following commands are available:
- <nat|nat64> timeout tcp opening (1-604800) [vrf NAME]¶
Set
Opening Timeout
in seconds. By default, it is 240 seconds (4 minutes).
- <nat|nat64> timeout tcp established (1-604800) [vrf NAME]¶
Set
Established Timeout
in seconds. By default, it is 7440 seconds (2 hours and 4 minutes).
- <nat|nat64> timeout tcp transitory (1-604800) [vrf NAME]¶
Set
Transitory Timeout
in seconds. By default, it is 240 seconds (4 minutes).
- <nat|nat64> timeout tcp fin-wait (1-604800) [vrf NAME]¶
Set
FIN-WAIT Timeout
in seconds. By default, it is 7440 seconds (2 hours and 4 minutes).
UDP¶
NAT monitors the state of UDP sessions in accordance with RFC 4787 Section 4.3. If there are no packets through the created UDP session during the specified timeout, the session is closed.
- <nat|nat64> timeout udp (1-604800) [vrf NAME]¶
Set the timeout for UDP sessions in seconds. By default, it is 300 seconds (5 minutes).
ICMP¶
NAT monitors the state of ICMP sessions in accordance with RFC 5508 Section 3.2. If there are no packets through the created ICMP session during the specified timeout, the session is closed.
- <nat|nat64> timeout icmp (1-604800) [vrf NAME]¶
Set the timeout for ICMP sessions in seconds. By default, it is 60 seconds (1 minute).
GRE¶
If there are no packets through the created GRE session during the specified timeout, the session is closed.
- <nat|nat64> timeout gre (1-604800) [vrf NAME]¶
Set the timeout for GRE sessions in seconds. By default, it is 1800 seconds (30 minutes).
ESP¶
If there are no packets through the created ESP session during the specified timeout, the session is closed.
- <nat|nat64> timeout esp (1-604800) [vrf NAME]¶
Set the timeout for ESP sessions in seconds. By default, it is 1800 seconds (30 minutes).
Timeout Update¶
By default, NAT updates session timeouts for packets in both directions - from subscribers to servers (outbound), and from servers to subscribers (inbound). For additional protection against external attacks, it is possible to disable the timeouts updates for the inbound packets.
- <nat|nat64> service inbound-refresh enable [vrf NAME]¶
Enable timeouts updates for the inbound packets. This is the default behavior. To disable it, use this command with the
no
prefix.
Show Commands¶
- show <nat|nat64> timeout [vrf NAME]¶
Display the current timeout values for ESP, GRE, ICMP, UDP and TCP protocols.