LTM SNAT TCP timeout = "indefinite"

Question

Ran into an issue of port exhaustion for one server in a SNAT.  While researching I found SOL7606 which states:
"Note: When set to Indefinite, UDP or IP SNAT translation idle time-outs are internally limited to a maximum of 300 seconds."
It does not, however, indicate if there is a default timeout for TCP.  Looking at an idle connection on tms I see the TCP "idle timeout" listed as 4294962795.  The connection was not reaped after 5 minutes (300 seconds).  Can someone confirm that SNAT TCP connections, when configured with an "indefinite" timeout, will remain active in the system for this indefinite amount of time if not closed gracefully?
Just looking to confirm my understanding of the tmos operation. We're implementing an explicit timeout value for the SNAT.  Version is 10.2.3.
Thanks! -Ed

petewhite · Answer

I haven't actually tested it but that is my understanding. Of course the idle timeouts assigned to UDP and IP protocols are limited because otherwise they would be a security risk&nbsp;

nitass · Answer

Can someone confirm that SNAT TCP connections, when configured with an "indefinite" timeout, will remain active in the system for this indefinite amount of time if not closed gracefully?

this unit is 10.2.4.
 config

root@ve10(Active)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.9:ssh
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        tcp_indef { }
    }
}
root@ve10(Active)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:ssh { }
    }
}
root@ve10(Active)(tmos) list ltm profile tcp tcp_indef
ltm profile tcp tcp_indef {
    defaults-from tcp
    idle-timeout 4294967295
}
root@ve10(Active)(tmos) list ltm snat
ltm snat snatbar {
    origins {
        0.0.0.0/0
    }
    translation 200.200.200.252
}

test

root@ve10(Active)(tmos) show sys connection cs-server-addr 172.28.24.9 cs-server-port 22 all-properties
Sys::Connections
192.168.206.178:65164 - 172.28.24.9:22 - 200.200.200.101:22
-----------------------------------------------------------
  TMM           0
  Type          any
  Protocol      tcp
  Idle Time     465
  Idle Timeout  4294967295
  Unit ID       1
  Lasthop       external 00:01:e8:d5:d4:47
  Virtual Path  172.28.24.9:22

ClientSide             ServerSide
  Client Addr  192.168.206.178:65164  200.200.200.252:65164
  Server Addr         172.28.24.9:22     200.200.200.101:22
  Bits In                      22.5K                  27.3K
  Bits Out                     26.0K                  22.2K
  Packets In                      24                     23
  Packets Out                     19                     23

Total records returned: 1

robs · Answer

Hopefully that setting has been fixed. I remember years ago running 9.4 code we found out indefinite did not mean indefinite and it was really 5 minutes. We had to manually set a very high value, like 14,400 I think. We had to meet with our CIO every day for 2 weeks to discuss application disconnects until we discovered that.

ed_summers · Answer

Thanks Pete and Nitass!  Appreciate the knowledge share!&nbsp;

aaaa_138357 · Answer

Hi,&nbsp;
Sorry for using this thread. I have SNAT pool and a vserver with a TCP profile (7200s idle timeout) that uses an irule to selectively snat internal connections. Application owners complain that TCP connections are not being closed gracefully by the LTM (that is not using FIN/ACK), instead the connections are silently dropped. Is there anything i can configure on the vserver or the tcp profile to fix this.&nbsp;
TIA!&nbsp;

Forum Discussion

LTM SNAT TCP timeout = "indefinite"

8 Replies

Recent Discussions

no available managed rule groups for Israel il-central-1

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

big3d timeouts

SNAT IP address logging

api token timeout change

source address persistence maximum session timeout

SNAT pool persistence