Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

131

132

133

134

135

136

137

138

139

140

ServerIron ADX NAT64 Configuration Guide 119

53-1002444-02

Disabling IP NAT sticky behavior

DRAFT: BROCADE CONFIDENTIAL

Configuring the NAT translation aging timer

Use the ip nat translation command to alter the NAT translation aging timer. For example, the

following command increases the NAT translation timeout value for TCP sessions to 30 minutes:

ServerIronADX(config)# ip nat translation tcp-timeout 1800

Syntax: [no] ip nat translation dns-timeout | finrst-timeout | icmp-timeout | syn-timeout |

tcp-timeout | udp-timeout <secs>| maximum

The dns-timeout keyword indicates connections to a DNS server. The default is 120 seconds.

The finrst-timeout keyword identifies TCP FIN (finish) and RST (reset) packets, which normally

terminate TCP connections. The default is 120 seconds. This timer is not related to tcp-timeout,

which applies to packets to or from a host address that is mapped to an global IP address and a

TCP port number (PAT feature). The finrst-timeout applies to packets that terminate a TCP session,

regardless of the host address or whether PAT is used.

The icmp-timeout keyword indicates timeout for ICMP NAT flows.

The syn-timeout keyword indicates timeout for TCP NAT flows after a SYN.

The tcp-timeout keyword indicates dynamic NAT entries that use PAT based on TCP port numbers.

The default is 120 seconds. This timer applies only to TCP sessions that do not end “gracefully”,

with a TCP FIN or TCP RST.

The udp-timeout keyword indicates dynamic NAT entries that use PAT based on UDP port numbers.

The default is 120 seconds.

The <secs> parameter specifies number of seconds, from 0 through 3600. Use maximum to set

the maximum timeout value. For example, 3,600 seconds.

After the configuration of a NAT timeout the ServerIron ADX handles NAT sessions as follows:

• Existing session entries of the modified protocol remain in the translation table.

• If an existing session entry sends or receives traffic, the NAT timeout value for that entry is

updated to the new configured value.

• If an existing session entry does not process any traffic, it continues to age out in accordance

with the old NAT timeout value.

• When the NAT timeout (age of the session) expires, forward and reverse sessions on the

ServerIron ADX are deleted with no further actions. If traffic is received on this flow, the

ServerIron ADX drops the packets because it will not find any sessions related to that particular

flow.

Disabling IP NAT sticky behavior

By default, when a dynamic IP NAT client initiates traffic, the ServerIron ADX selects a NAT pool IP

and creates a sticky session, which associates this client's IP with the same NAT pool IP. For all

subsequent flows from the client, the same NAT pool IP is selected as long as the sticky session

exists. However, under certain heavy traffic conditions, the NAT pool IP might run out of ports,

resulting in dropped connections.

To override this behavior and allow the ServerIron ADX to select a different NAT pool IP each time

for the same client, enter the following command:

ServerIronADX(config)# ip nat disable-sticky