Forum Discussion
dragonflymr
Cirrostratus
CirrostratusSNAT, VS and multiple Idle Timeout setting
Hi,
I am a bit lost how Idle Timeout (IT) is managed when there are different object involved for given connection.
VS has Idle Timeout set via TCP profile (let's say it's Standard VS), SNAT object has separate Idle Timeout set via SNAT Translation objects (I wonder why for SNAT IT is by default set to Indefinite when in all SOLs it's advised to be set to shortest possible time?)
When given connection is processes only by SNAT object things seems to be simple, IT set in SNAT Translation for given Translation Address is used.
What in case we have such situation:
-
There is SNAT object for given Origin Address (10.128.20.11)
-
There is VS processing traffic from 10.128.20.0/24 network, SNAT pool set to None
-
Connection coming from 10.128.20.11 is processed by VS
-
According to my tests in this case SNAT object will translate src IP of packet to it's Translation Address. VS will handle translation of dst IP
-
TCP IT is set to 300 s, SNAT Translation has TCP Idle Timeout set to 900 s
Which timeout will be used for connection that is both processed by VS and SNAT object? One set by TCP profile assigned to VS or the one set on SNAT Translation object?
What in case when VS is using SNAT Pool set to some configured SNAT pool (again we have IT in TCP profile and TCP IT in SNAT Translation object)?
Piotr
20 Replies
As far as I know,
-
For any traffic handled by Virtual, the Idle timeout of the Virtual takes effect.
-
For traffic handled by *NAT, the timeout of the *NAT takes effect.
- My thinking is like this: When the virtual reaches it's idle timeout, and it is configured to RST on timeout, it will send a RST to both client side and server side. At this point, it doesn't matter what state the timeout counter for the SNAT is in. If RST on Timeout is not enabled on the virtual, then it will simply delete the connection from memory, at which point it again doesn't matter what the SNAT thinks. Needs testing to be 100% certain though.
dragonflymrThanks, well testing is the king of course but it takes time :-( Your way things are working seems to be OK and simple so I hope it's working like that. Because of some references to multiple timeouts in docs I lost my confidence how it's handled. Thanks for help, Piotr
-
Hannes_RappNimbostratus
In a given scenario, the connection's TCP idle timeout is 5 minutes (300 sec). The difference is that once the connection's record is removed from the Connections Table (due to timeout exceeded), the SNAT translation record will be retained for another 10 minutes (600 sec). In this state, the SNAT record will only consume memory and do nothing useful. For this reason, the SNAT record's Idle Timeout should be equal to the Idle Timeout value set in TCP profile, or less than that.
- dragonflymrAre you sure about that? That can cause quite a mess (if I am not wrong) when setting is other way around: TCP IT - 300 s SNAT IT - 100s Will in this case SNAT record be removed before connection is removed for Connection Table? If so what will happen with connection - it will be broken because there will be no SNAT record used for src IP translation presesnt any more? Piotr
- Hannes_RappIn an idle scenario, yes, the SNAT record will be removed before the TCP record. If the SNAT record is not in place while a packet for an existing TCP connection is received, a new SNAT record will be created and the session will not be interrupted. The impact to consider is very similar to TCP Idle Timeout vs. ARP record Idle Timeout - ARP records time out a lot sooner, but the TCP sessions are not interrupted because of that. Only thing you may want to consider is that setting a SNAT Idle Timeout value too low will start to consume CPU (due to the necessity of re-adding those SNAT records).
- dragonflymrI was thinking about idle situation and I am a bit afraid that it is not so simple. If SNAT record will be removed and then new record created then new record can use different source port or even different src.IP (when SNAT pool used) - at least that is my view - there is no info about previous ip and port used for given connection because SNAT record was deleted. In this case connection should broke as at least different src port can be used for packets, and if I am not wrong receiving side will not recognize it as any existing connection and reject such packet. Am I wrong here? Piotr
Hannes_Rapp_162Nacreous
In a given scenario, the connection's TCP idle timeout is 5 minutes (300 sec). The difference is that once the connection's record is removed from the Connections Table (due to timeout exceeded), the SNAT translation record will be retained for another 10 minutes (600 sec). In this state, the SNAT record will only consume memory and do nothing useful. For this reason, the SNAT record's Idle Timeout should be equal to the Idle Timeout value set in TCP profile, or less than that.
- dragonflymrAre you sure about that? That can cause quite a mess (if I am not wrong) when setting is other way around: TCP IT - 300 s SNAT IT - 100s Will in this case SNAT record be removed before connection is removed for Connection Table? If so what will happen with connection - it will be broken because there will be no SNAT record used for src IP translation presesnt any more? Piotr
- Hannes_Rapp_162In an idle scenario, yes, the SNAT record will be removed before the TCP record. If the SNAT record is not in place while a packet for an existing TCP connection is received, a new SNAT record will be created and the session will not be interrupted. The impact to consider is very similar to TCP Idle Timeout vs. ARP record Idle Timeout - ARP records time out a lot sooner, but the TCP sessions are not interrupted because of that. Only thing you may want to consider is that setting a SNAT Idle Timeout value too low will start to consume CPU (due to the necessity of re-adding those SNAT records).
- dragonflymrI was thinking about idle situation and I am a bit afraid that it is not so simple. If SNAT record will be removed and then new record created then new record can use different source port or even different src.IP (when SNAT pool used) - at least that is my view - there is no info about previous ip and port used for given connection because SNAT record was deleted. In this case connection should broke as at least different src port can be used for packets, and if I am not wrong receiving side will not recognize it as any existing connection and reject such packet. Am I wrong here? Piotr
- nitass
Employee
i might be wrong but i think only one idle timeout is being used (depending on which one is chosen).
configuration - tcp idle timeout is 300s, snat ip idle timeout is indefinite root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { cmp-enabled no destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } source 0.0.0.0/0 source-address-translation { pool norf type snat } vs-index 19 } root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile tcp tcp idle-timeout ltm profile tcp tcp { idle-timeout 300 } root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snatpool norf ltm snatpool norf { members { 200.200.200.55 200.200.200.66 200.200.200.77 } } root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat-translation all ip-idle-timeout ltm snat-translation 200.200.200.55 { ip-idle-timeout indefinite } ltm snat-translation 200.200.200.66 { ip-idle-timeout indefinite } ltm snat-translation 200.200.200.77 { ip-idle-timeout indefinite } client - create 2 connections (in sequence) from the same source port [root@centos1 ~] nc -p 10000 172.28.24.10 80 GET / This is 101 host. [root@centos1 ~] [root@centos1 ~] [root@centos1 ~] [root@centos1 ~] nc -p 10000 172.28.24.10 80 GET / This is 101 host. [root@centos1 ~] connection table - different snat ip is used. [root@ve11b:Active:In Sync] config date; tmsh show sys connection cs-server-port 80 all-properties Tue Mar 24 21:22:15 SGT 2015 Sys::Connections 172.28.24.1:10000 - 172.28.24.10:80 - 200.200.200.55:10000 - 200.200.200.101:80 ------------------------------------------------------------------------------- TMM 0 Type any Acceleration none Protocol tcp Idle Time 2 Idle Timeout 300 Unit ID 1 Lasthop /Common/external 00:50:56:b3:59:8d Virtual Path 172.28.24.10:80 Conn Id 0 ClientSide ServerSide Client Addr 172.28.24.1:10000 200.200.200.55:10000 Server Addr 172.28.24.10:80 200.200.200.101:80 Bits In 896 448 Bits Out 480 896 Packets In 2 1 Packets Out 1 2 Total records returned: 1 [root@ve11b:Active:In Sync] config date; tmsh show sys connection cs-server-port 80 all-properties Tue Mar 24 21:22:24 SGT 2015 Sys::Connections Total records returned: 0 [root@ve11b:Active:In Sync] config date; tmsh show sys connection cs-server-port 80 all-properties Tue Mar 24 21:22:29 SGT 2015 Sys::Connections 172.28.24.1:10000 - 172.28.24.10:80 - 200.200.200.66:10000 - 200.200.200.101:80 ------------------------------------------------------------------------------- TMM 0 Type any Acceleration none Protocol tcp Idle Time 3 Idle Timeout 300 Unit ID 1 Lasthop /Common/external 00:50:56:b3:59:8d Virtual Path 172.28.24.10:80 Conn Id 0 ClientSide ServerSide Client Addr 172.28.24.1:10000 200.200.200.66:10000 Server Addr 172.28.24.10:80 200.200.200.101:80 Bits In 896 448 Bits Out 480 896 Packets In 2 1 Packets Out 1 2 Total records returned: 1 - nitass
this is icmp test. i think it may be better test than tcp because it is not connection oriented.
configuration - fastl4 idle timeout is indefinite, snat ip timeout is 30s root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { cmp-enabled no destination 0.0.0.0:0 ip-forward ip-protocol icmp mask any profiles { fastl4_indef { } } source 0.0.0.0/0 source-address-translation { pool norf type snat } translate-address disabled translate-port disabled vs-index 8 } root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_indef ltm profile fastl4 fastl4_indef { app-service none idle-timeout indefinite } root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat-translation 200.200.200.* ltm snat-translation 200.200.200.55 { address 200.200.200.55 inherited-traffic-group true ip-idle-timeout 30 traffic-group traffic-group-1 } ltm snat-translation 200.200.200.66 { address 200.200.200.66 inherited-traffic-group true ip-idle-timeout 30 traffic-group traffic-group-1 } ltm snat-translation 200.200.200.77 { address 200.200.200.77 inherited-traffic-group true ip-idle-timeout 30 traffic-group traffic-group-1 } replay icmp echo request twice [root@centos1 ~] hping -0 -H 1 -E /var/tmp/ping.bin -d 64 200.200.200.101 HPING 200.200.200.101 (eth0 200.200.200.101): raw IP mode set, 20 headers + 64 data bytes [main] memlockall(): Success Warning: can't disable memory paging! --- 200.200.200.101 hping statistic --- 2 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@centos1 ~] [root@centos1 ~] [root@centos1 ~] hping -0 -H 1 -E /var/tmp/ping.bin -d 64 200.200.200.101 HPING 200.200.200.101 (eth0 200.200.200.101): raw IP mode set, 20 headers + 64 data bytes [main] memlockall(): Success Warning: can't disable memory paging! --- 200.200.200.101 hping statistic --- 2 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms connection table - entry is deleted after 30s, new connection uses new snat ip root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties Sys::Connections 172.28.24.1:58991 - 200.200.200.101:8 - 200.200.200.55:13600 - 200.200.200.101:8 -------------------------------------------------------------------------------- TMM 0 Type any Acceleration none Protocol icmp Idle Time 22 Idle Timeout 30 Unit ID 1 Lasthop /Common/external 00:50:56:b3:59:8d Virtual Path 200.200.200.101:8 Conn Id 0 ClientSide ServerSide Client Addr 172.28.24.1:58991 200.200.200.55:13600 Server Addr 200.200.200.101:8 200.200.200.101:8 Bits In 1.3K 1.3K Bits Out 1.3K 1.3K Packets In 2 2 Packets Out 2 2 Total records returned: 1 root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties Sys::Connections Total records returned: 0 root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties Sys::Connections 172.28.24.1:58991 - 200.200.200.101:8 - 200.200.200.66:11072 - 200.200.200.101:8 -------------------------------------------------------------------------------- TMM 0 Type any Acceleration none Protocol icmp Idle Time 1 Idle Timeout 30 Unit ID 1 Lasthop /Common/external 00:50:56:b3:59:8d Virtual Path 200.200.200.101:8 Conn Id 0 ClientSide ServerSide Client Addr 172.28.24.1:58991 200.200.200.66:11072 Server Addr 200.200.200.101:8 200.200.200.101:8 Bits In 1.3K 1.3K Bits Out 1.3K 1.3K Packets In 2 2 Packets Out 2 2 Total records returned: 1- dragonflymrThanks a lot for your time. I would not bother others but I am still not so good with packet tracing and tmsh. I am working on that skills and hopefully soon will manage to do such tests by myself. Only thing that above is still not resolving is what will happen when we will not use indefinite for on of settings but instead configure explicitly some timeouts on both objects. Common sense dictates that still VS profile setting should win but... Piotr
nitass_89166Noctilucent
this is icmp test. i think it may be better test than tcp because it is not connection oriented.
configuration - fastl4 idle timeout is indefinite, snat ip timeout is 30s root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { cmp-enabled no destination 0.0.0.0:0 ip-forward ip-protocol icmp mask any profiles { fastl4_indef { } } source 0.0.0.0/0 source-address-translation { pool norf type snat } translate-address disabled translate-port disabled vs-index 8 } root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_indef ltm profile fastl4 fastl4_indef { app-service none idle-timeout indefinite } root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat-translation 200.200.200.* ltm snat-translation 200.200.200.55 { address 200.200.200.55 inherited-traffic-group true ip-idle-timeout 30 traffic-group traffic-group-1 } ltm snat-translation 200.200.200.66 { address 200.200.200.66 inherited-traffic-group true ip-idle-timeout 30 traffic-group traffic-group-1 } ltm snat-translation 200.200.200.77 { address 200.200.200.77 inherited-traffic-group true ip-idle-timeout 30 traffic-group traffic-group-1 } replay icmp echo request twice [root@centos1 ~] hping -0 -H 1 -E /var/tmp/ping.bin -d 64 200.200.200.101 HPING 200.200.200.101 (eth0 200.200.200.101): raw IP mode set, 20 headers + 64 data bytes [main] memlockall(): Success Warning: can't disable memory paging! --- 200.200.200.101 hping statistic --- 2 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@centos1 ~] [root@centos1 ~] [root@centos1 ~] hping -0 -H 1 -E /var/tmp/ping.bin -d 64 200.200.200.101 HPING 200.200.200.101 (eth0 200.200.200.101): raw IP mode set, 20 headers + 64 data bytes [main] memlockall(): Success Warning: can't disable memory paging! --- 200.200.200.101 hping statistic --- 2 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms connection table - entry is deleted after 30s, new connection uses new snat ip root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties Sys::Connections 172.28.24.1:58991 - 200.200.200.101:8 - 200.200.200.55:13600 - 200.200.200.101:8 -------------------------------------------------------------------------------- TMM 0 Type any Acceleration none Protocol icmp Idle Time 22 Idle Timeout 30 Unit ID 1 Lasthop /Common/external 00:50:56:b3:59:8d Virtual Path 200.200.200.101:8 Conn Id 0 ClientSide ServerSide Client Addr 172.28.24.1:58991 200.200.200.55:13600 Server Addr 200.200.200.101:8 200.200.200.101:8 Bits In 1.3K 1.3K Bits Out 1.3K 1.3K Packets In 2 2 Packets Out 2 2 Total records returned: 1 root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties Sys::Connections Total records returned: 0 root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties Sys::Connections 172.28.24.1:58991 - 200.200.200.101:8 - 200.200.200.66:11072 - 200.200.200.101:8 -------------------------------------------------------------------------------- TMM 0 Type any Acceleration none Protocol icmp Idle Time 1 Idle Timeout 30 Unit ID 1 Lasthop /Common/external 00:50:56:b3:59:8d Virtual Path 200.200.200.101:8 Conn Id 0 ClientSide ServerSide Client Addr 172.28.24.1:58991 200.200.200.66:11072 Server Addr 200.200.200.101:8 200.200.200.101:8 Bits In 1.3K 1.3K Bits Out 1.3K 1.3K Packets In 2 2 Packets Out 2 2 Total records returned: 1- dragonflymrThanks a lot for your time. I would not bother others but I am still not so good with packet tracing and tmsh. I am working on that skills and hopefully soon will manage to do such tests by myself. Only thing that above is still not resolving is what will happen when we will not use indefinite for on of settings but instead configure explicitly some timeouts on both objects. Common sense dictates that still VS profile setting should win but... Piotr
- nitass
and this one.
configuration - fastl4 idle timeout is 30s, snat ip idle timeout is indefinite root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { cmp-enabled no destination 0.0.0.0:0 ip-forward ip-protocol icmp mask any profiles { fastl4_30 { } } source 0.0.0.0/0 source-address-translation { pool norf type snat } translate-address disabled translate-port disabled vs-index 8 } root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_30 ltm profile fastl4 fastl4_30 { app-service none idle-timeout 30 } root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat-translation 200.200.200.* ip-idle-timeout ltm snat-translation 200.200.200.55 { ip-idle-timeout indefinite } ltm snat-translation 200.200.200.66 { ip-idle-timeout indefinite } ltm snat-translation 200.200.200.77 { ip-idle-timeout indefinite } replay icmp echo request twice [root@centos1 ~] hping -0 -H 1 -E /var/tmp/ping.bin -d 64 200.200.200.101 HPING 200.200.200.101 (eth0 200.200.200.101): raw IP mode set, 20 headers + 64 data bytes [main] memlockall(): Success Warning: can't disable memory paging! --- 200.200.200.101 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@centos1 ~] [root@centos1 ~] [root@centos1 ~] hping -0 -H 1 -E /var/tmp/ping.bin -d 64 200.200.200.101 HPING 200.200.200.101 (eth0 200.200.200.101): raw IP mode set, 20 headers + 64 data bytes [main] memlockall(): Success Warning: can't disable memory paging! --- 200.200.200.101 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms connection table - record is deleted after 30s, new connection uses new snat ip root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties Sys::Connections 172.28.24.1:58991 - 200.200.200.101:8 - 200.200.200.77:30374 - 200.200.200.101:8 -------------------------------------------------------------------------------- TMM 0 Type any Acceleration none Protocol icmp Idle Time 20 Idle Timeout 30 Unit ID 1 Lasthop /Common/external 00:50:56:b3:59:8d Virtual Path 200.200.200.101:8 Conn Id 0 ClientSide ServerSide Client Addr 172.28.24.1:58991 200.200.200.77:30374 Server Addr 200.200.200.101:8 200.200.200.101:8 Bits In 672 672 Bits Out 672 672 Packets In 1 1 Packets Out 1 1 Total records returned: 1 root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties Sys::Connections Total records returned: 0 root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties Sys::Connections 172.28.24.1:58991 - 200.200.200.101:8 - 200.200.200.55:18980 - 200.200.200.101:8 -------------------------------------------------------------------------------- TMM 0 Type any Acceleration none Protocol icmp Idle Time 2 Idle Timeout 30 Unit ID 1 Lasthop /Common/external 00:50:56:b3:59:8d Virtual Path 200.200.200.101:8 Conn Id 0 ClientSide ServerSide Client Addr 172.28.24.1:58991 200.200.200.55:18980 Server Addr 200.200.200.101:8 200.200.200.101:8 Bits In 672 672 Bits Out 672 672 Packets In 1 1 Packets Out 1 1 Total records returned: 1 I know for sure, that the Virtual Server's Idle timeout applies. Stop racking your head about this 🙂
I have tested it.
tmsh show sys conn all-properties Sys::Connections 10.1.3.195:36055 - 10.1.3.170:80 - 10.1.3.177:36055 - 10.1.3.95:443 ------------------------------------------------------------------- TMM 1 Type any Acceleration none Protocol tcp Idle Time 2 Idle Timeout 300 Unit ID 1 Lasthop /Common/vpersonal 00:23:e9:88:76:03 Virtual Path 10.1.3.170:80 Conn Id 0 ClientSide ServerSide Client Addr 10.1.3.195:36055 10.1.3.177:36055 Server Addr 10.1.3.170:80 10.1.3.95:443 Bits In 3.9K 18.6K Bits Out 9.6K 8.6K Packets In 8 5 Packets Out 7 9 Total records returned: 1 [root@bigip:Active:Standalone] config tmsh list ltm snat ltm snat from195to199 { origins { 10.1.3.195/32 { } } translation /Common/10.1.3.177 }- dragonflymrSorry for nit picking :-), promise to avoid. To summarize: 1. Setting of VS always wins 2. It's best to use SNAT pool (even with one translation IP) - then you have full control when SNAT is used, SNAT object has to be created explicitly or SNAT pool used with VS. No way to create some hole in LTM like with SNAT object not using SNAT pool 3. When using SNAT object it's advised to adjust IT - I guess leaving it at Indefinite is not best practice Thanks a lot for all help, I really appreciate your time and effort. Piotr
- JWhitesPro_1928
does automap change any of this?
