Emmanuel Dreyfus <manu%netbsd.org@localhost> writes: > Hello > > I use IPFilter on a gateway, to perform 1:1 NAT mapping, and I have > an annoying problem with stalled TCP connexions. > > As I understand, the default lifetime of a TCP mapping in the NAT table > is one minute. After one minute of inactivity for the TCP connexion, the > mapping vanishes. If the client sends data, the mapping is reinstantiated > and the TCP connexion resumes normally. > > But if the servers sends data on a TCP connexion that has no NAT mapping > at the moment, the data will not get through. When later the client will > send data and reinstantiate the mapping, it has a hard time restoring > the TCP connexion to a usable state. It can remain hang for several > seconds, or just be disconnected. > > Question: how can that be fixed? I canincrease the mapping lifetime, > but I suspect I will run into ressource shortage. Basically I think you have to increase the mapping lifetime. I think ipfilter will remove mappings on connection close. I see your point about resources limits, but that's what you get for violating the e2e design of IP - if you need state in the middle, then you need it. 1 minute sounds crazy to me for a NAT timeout. I've run into tables set for 1 hour and complained about them. I'd say try 8 hours and see how that goes.
Attachment:
pgpDSG91KO8qk.pgp
Description: PGP signature