Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Mar 18, 2015

SNAT, VS and multiple Idle Timeout setting

Hi,   I am a bit lost how Idle Timeout (IT) is managed when there are different object involved for given connection.   VS has Idle Timeout set via TCP profile (let's say it's Standard VS), SNA...
application delivery
design
LTM
TMOS
nitass's avatar
nitass
Icon for Employee rankEmployee
Mar 24, 2015

this is icmp test. i think it may be better test than tcp because it is not connection oriented.

 configuration - fastl4 idle timeout is indefinite, snat ip timeout is 30s

root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    cmp-enabled no
    destination 0.0.0.0:0
    ip-forward
    ip-protocol icmp
    mask any
    profiles {
        fastl4_indef { }
    }
    source 0.0.0.0/0
    source-address-translation {
        pool norf
        type snat
    }
    translate-address disabled
    translate-port disabled
    vs-index 8
}
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile fastl4 fastl4_indef
ltm profile fastl4 fastl4_indef {
    app-service none
    idle-timeout indefinite
}
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat-translation 200.200.200.*
ltm snat-translation 200.200.200.55 {
    address 200.200.200.55
    inherited-traffic-group true
    ip-idle-timeout 30
    traffic-group traffic-group-1
}
ltm snat-translation 200.200.200.66 {
    address 200.200.200.66
    inherited-traffic-group true
    ip-idle-timeout 30
    traffic-group traffic-group-1
}
ltm snat-translation 200.200.200.77 {
    address 200.200.200.77
    inherited-traffic-group true
    ip-idle-timeout 30
    traffic-group traffic-group-1
}

 replay icmp echo request twice

[root@centos1 ~] hping -0 -H 1 -E /var/tmp/ping.bin -d 64 200.200.200.101
HPING 200.200.200.101 (eth0 200.200.200.101): raw IP mode set, 20 headers + 64 data bytes
[main] memlockall(): Success
Warning: can't disable memory paging!

--- 200.200.200.101 hping statistic ---
2 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@centos1 ~]
[root@centos1 ~]
[root@centos1 ~] hping -0 -H 1 -E /var/tmp/ping.bin -d 64 200.200.200.101
HPING 200.200.200.101 (eth0 200.200.200.101): raw IP mode set, 20 headers + 64 data bytes
[main] memlockall(): Success
Warning: can't disable memory paging!

--- 200.200.200.101 hping statistic ---
2 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

 connection table - entry is deleted after 30s, new connection uses new snat ip

root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties
Sys::Connections
172.28.24.1:58991 - 200.200.200.101:8 - 200.200.200.55:13600 - 200.200.200.101:8
--------------------------------------------------------------------------------
  TMM           0
  Type          any
  Acceleration  none
  Protocol      icmp
  Idle Time     22
  Idle Timeout  30
  Unit ID       1
  Lasthop       /Common/external 00:50:56:b3:59:8d
  Virtual Path  200.200.200.101:8
  Conn Id 0

                      ClientSide            ServerSide
  Client Addr  172.28.24.1:58991  200.200.200.55:13600
  Server Addr  200.200.200.101:8     200.200.200.101:8
  Bits In                   1.3K                  1.3K
  Bits Out                  1.3K                  1.3K
  Packets In                   2                     2
  Packets Out                  2                     2

Total records returned: 1
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties
Sys::Connections
Total records returned: 0
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos)
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys connection protocol icmp all-properties
Sys::Connections
172.28.24.1:58991 - 200.200.200.101:8 - 200.200.200.66:11072 - 200.200.200.101:8
--------------------------------------------------------------------------------
  TMM           0
  Type          any
  Acceleration  none
  Protocol      icmp
  Idle Time     1
  Idle Timeout  30
  Unit ID       1
  Lasthop       /Common/external 00:50:56:b3:59:8d
  Virtual Path  200.200.200.101:8
  Conn Id 0

                      ClientSide            ServerSide
  Client Addr  172.28.24.1:58991  200.200.200.66:11072
  Server Addr  200.200.200.101:8     200.200.200.101:8
  Bits In                   1.3K                  1.3K
  Bits Out                  1.3K                  1.3K
  Packets In                   2                     2
  Packets Out                  2                     2

Total records returned: 1
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Mar 24, 2015
    Thanks a lot for your time. I would not bother others but I am still not so good with packet tracing and tmsh. I am working on that skills and hopefully soon will manage to do such tests by myself. Only thing that above is still not resolving is what will happen when we will not use indefinite for on of settings but instead configure explicitly some timeouts on both objects. Common sense dictates that still VS profile setting should win but... Piotr