SNAT, VS and multiple Idle Timeout setting

Are you sure about that? That can cause quite a mess (if I am not wrong) when setting is other way around: TCP IT - 300 s SNAT IT - 100s Will in this case SNAT record be removed before connection is removed for Connection Table? If so what will happen with connection - it will be broken because there will be no SNAT record used for src IP translation presesnt any more? Piotr

In an idle scenario, yes, the SNAT record will be removed before the TCP record. If the SNAT record is not in place while a packet for an existing TCP connection is received, a new SNAT record will be created and the session will not be interrupted. The impact to consider is very similar to TCP Idle Timeout vs. ARP record Idle Timeout - ARP records time out a lot sooner, but the TCP sessions are not interrupted because of that. Only thing you may want to consider is that setting a SNAT Idle Timeout value too low will start to consume CPU (due to the necessity of re-adding those SNAT records).

I was thinking about idle situation and I am a bit afraid that it is not so simple. If SNAT record will be removed and then new record created then new record can use different source port or even different src.IP (when SNAT pool used) - at least that is my view - there is no info about previous ip and port used for given connection because SNAT record was deleted. In this case connection should broke as at least different src port can be used for packets, and if I am not wrong receiving side will not recognize it as any existing connection and reject such packet. Am I wrong here? Piotr