9.9. Timeouts

To ensure the correct operation, NAT monitors subscribers’ sessions.

For the TCP and UDP protocols, the session is defined by these five fields in the packet:

  • Source IP Address,

  • Destination IP Address,

  • Protocol,

  • Source port,

  • Destination port.

For the ICMP protocol, the session is defined by these four fields:

  • Source IP address,

  • Destination IP address,

  • Protocol,

  • Query ID.

For GRE and ESP protocols, the session is defined by these three fields:

  • Source IP address,

  • Destination IP address,

  • Protocol.

When the NAT receives a packet, it checks whether it has an existing record in the session table in accordance with the fields specified above. If the session exist, NAT updates its state. If there is no record for the session yet, NAT creates it. To prevent the session table from overflowing, NAT monitors session activity. If no packets had passed through the session for a certain time, the session is considered outdated and is deleted from the table.

This section describes how timeouts work and how to configure them for various protocols.

TCP

NAT monitors the state of TCP sessions in accordance with RFC 5382 Section 5 and RFC 7857 Section 2 using the following finite-state machine:

digraph {
    bgcolor="transparent";
    node [shape=box, color="#000000", fontcolor="#000000"];
    edge [color="#000000", fontcolor="#000000"];

    CLOSED;
    INIT_OUTBOUND;
    INIT_INBOUND;
    TRANSITORY;
    ESTABLISHED;
    FIN_OUTBOUND;
    FIN_INBOUND;
    CLOSING;

    CLOSED -> INIT_OUTBOUND [label = "Client SYN"];
    CLOSED -> INIT_INBOUND [label = "Server SYN"];
    INIT_OUTBOUND -> ESTABLISHED [label = "Server SYN"];
    INIT_OUTBOUND -> CLOSED [label = <<i>Opening TO</i>>; style = "dotted"];
    INIT_INBOUND -> CLOSED [label = <<i>Opening TO</i>>; style = "dotted"];
    INIT_INBOUND -> ESTABLISHED [label = "Client SYN"];
    ESTABLISHED -> TRANSITORY [label = <<i>Client/Server RST<br /> or<br /> Established TO</i>>; style = "dotted"];
    TRANSITORY -> ESTABLISHED [label = "Data Packet"];
    TRANSITORY -> CLOSED [label = <<i>Transitory TO</i>>; style = "dotted"];
    ESTABLISHED -> FIN_OUTBOUND [label = "Client FIN"];
    ESTABLISHED -> FIN_INBOUND [label = "Server FIN"];
    FIN_OUTBOUND -> CLOSING [label = "Server FIN"];
    FIN_OUTBOUND -> CLOSING [label = <<i>FIN-WAIT<br /> TO</i>>; style = "dotted"];
    FIN_INBOUND -> CLOSING [label = "Client FIN"];
    FIN_INBOUND -> CLOSING [label = <<i>FIN-WAIT<br /> TO</i>>; style = "dotted"];
    CLOSING -> CLOSED [label = <<i>Transitory TO</i>>; style = "dotted"];

    subgraph {
        rank="same";
        INIT_OUTBOUND;
        INIT_INBOUND
        TRANSITORY;
    }
}
digraph {
    bgcolor="transparent";
    node [shape=box, color="white", fontcolor="white"];
    edge [color="white", fontcolor="white"];

    CLOSED;
    INIT_OUTBOUND;
    INIT_INBOUND;
    TRANSITORY;
    ESTABLISHED;
    FIN_OUTBOUND;
    FIN_INBOUND;
    CLOSING;

    CLOSED -> INIT_OUTBOUND [label = "Client SYN"];
    CLOSED -> INIT_INBOUND [label = "Server SYN"];
    INIT_OUTBOUND -> ESTABLISHED [label = "Server SYN"];
    INIT_OUTBOUND -> CLOSED [label = <<i>Opening TO</i>>; style = "dotted"];
    INIT_INBOUND -> CLOSED [label = <<i>Opening TO</i>>; style = "dotted"];
    INIT_INBOUND -> ESTABLISHED [label = "Client SYN"];
    ESTABLISHED -> TRANSITORY [label = <<i>Client/Server RST<br /> or<br /> Established TO</i>>; style = "dotted"];
    TRANSITORY -> ESTABLISHED [label = "Data Packet"];
    TRANSITORY -> CLOSED [label = <<i>Transitory TO</i>>; style = "dotted"];
    ESTABLISHED -> FIN_OUTBOUND [label = "Client FIN"];
    ESTABLISHED -> FIN_INBOUND [label = "Server FIN"];
    FIN_OUTBOUND -> CLOSING [label = "Server FIN"];
    FIN_OUTBOUND -> CLOSING [label = <<i>FIN-WAIT<br /> TO</i>>; style = "dotted"];
    FIN_INBOUND -> CLOSING [label = "Client FIN"];
    FIN_INBOUND -> CLOSING [label = <<i>FIN-WAIT<br /> TO</i>>; style = "dotted"];
    CLOSING -> CLOSED [label = <<i>Transitory TO</i>>; style = "dotted"];

    subgraph {
        rank="same";
        INIT_OUTBOUND;
        INIT_INBOUND
        TRANSITORY;
    }
}
CLOSED

A pseudo-state that reflects a non-existent session. After NAT receives a SYN packet from the subscriber or server, it creates a session and puts it in the INIT_OUTBOUND or INIT_INBOUND state, respectively.

INIT_OUTBOUND and INIT_INBOUND

In this state, NAT expects to receive a response SYN packet from the server or subscriber, respectively. If it receives such a packet during the Opening Timeout, the session goes in the ESTABLISHED state. If the packet has not been received, NAT closes the session.

ESTABLISHED

The main state of the TCP session. If NAT receives a FIN packet from the subscriber or server, it puts the session in the FIN_OUTBOUND or FIN_INBOUND state, respectively. If the NAT receives an RST packet from the subscriber or server, or does not receive any packets during the Established Timeout, it puts the session in the TRANSITORY state.

TRANSITORY

If NAT receives any packet for the session in this state, it transfers the session back to the ESTABLISHED state. If NAT does not receive any packets during the Transitory Timeout, it closes the session.

FIN_OUTBOUND and FIN_INBOUND

In this state, NAT expects to receive a response FIN packet from the server or subscriber, respectively. If it receives such a packet or does not receive during FIN-WAIT Timeout, it puts the session in the CLOSING state. If NAT does not receive any packets during the Established Timeout, it closes the session.

CLOSING

The session stays in this state until Transitory Timeout expires, then it’s closed.

To configure TCP session timeouts, the following commands are available:

<nat|nat64> timeout tcp opening (1-604800) [vrf NAME]

Set Opening Timeout in seconds. By default, it is 240 seconds (4 minutes).

<nat|nat64> timeout tcp established (1-604800) [vrf NAME]

Set Established Timeout in seconds. By default, it is 7440 seconds (2 hours and 4 minutes).

<nat|nat64> timeout tcp transitory (1-604800) [vrf NAME]

Set Transitory Timeout in seconds. By default, it is 240 seconds (4 minutes).

<nat|nat64> timeout tcp fin-wait (1-604800) [vrf NAME]

Set FIN-WAIT Timeout in seconds. By default, it is 7440 seconds (2 hours and 4 minutes).

UDP

NAT monitors the state of UDP sessions in accordance with RFC 4787 Section 4.3. If there are no packets through the created UDP session during the specified timeout, the session is closed.

<nat|nat64> timeout udp (1-604800) [vrf NAME]

Set the timeout for UDP sessions in seconds. By default, it is 300 seconds (5 minutes).

ICMP

NAT monitors the state of ICMP sessions in accordance with RFC 5508 Section 3.2. If there are no packets through the created ICMP session during the specified timeout, the session is closed.

<nat|nat64> timeout icmp (1-604800) [vrf NAME]

Set the timeout for ICMP sessions in seconds. By default, it is 60 seconds (1 minute).

GRE

If there are no packets through the created GRE session during the specified timeout, the session is closed.

<nat|nat64> timeout gre (1-604800) [vrf NAME]

Set the timeout for GRE sessions in seconds. By default, it is 1800 seconds (30 minutes).

ESP

If there are no packets through the created ESP session during the specified timeout, the session is closed.

<nat|nat64> timeout esp (1-604800) [vrf NAME]

Set the timeout for ESP sessions in seconds. By default, it is 1800 seconds (30 minutes).

Timeout Update

By default, NAT updates session timeouts for packets in both directions - from subscribers to servers (outbound), and from servers to subscribers (inbound). For additional protection against external attacks, it is possible to disable the timeouts updates for the inbound packets.

<nat|nat64> service inbound-refresh enable [vrf NAME]

Enable timeouts updates for the inbound packets. This is the default behavior. To disable it, use this command with the no prefix.

Show Commands

show <nat|nat64> timeout [vrf NAME]

Display the current timeout values for ESP, GRE, ICMP, UDP and TCP protocols.