Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
31323334353637383940
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems
Advanced Technical Reference Guide 4.1 June 2000 26
“Leaky” NAT
For some connections, (usually those with long timeouts) the internal IP address of the Address Translated
object “leaks” through VPN-1/FireWall-1. This sometimes causes the connection to fail since the reply is to an
unknown IP address.
Cause
Leaky NAT is caused by the TCP timeout of that specific connection. When a TCP connection is inactive for
too long, it is deleted from the NAT tables. If the connection is resumed, it will be inspected again on the
inbound interface, but since it is an established connection and not a SYN packet it won’t be inspected on the
Outbound interface, and will therefore be passed untranslated.
For a connection to be translated it needs to be in the NAT tables. If a connection is deleted from the NAT
tables it will be deleted from the Connection tables as well. Occasionally, packets from connections that are no
longer registered in the NAT tables or the connection tables pass through anyway. The reason could be that the
connection is being checked and allowed through by the Rule Base even though it should not be.
Troubleshooting
The symptom for this behavior is usually a connection drop. This can be seen in the output of the fw
monitor command, where the Internal IP address is seen on the outbound interface. That means that the
server will be getting an unreachable IP address, causing the connection to fail.
How to workaround this issue
This issue can be overcome in a number of ways:
1. Increase the TCP timeout value
The TCP timeout parameter that is set in the GUI via the Properties > Security Policy Tab, or in the
objects.C file. It decides the duration of an established but inactive (idle) connection. The default is set
to 3600 Seconds.
In the GUI the value can be set to a maximum of 7200 sec. If a longer timeout is needed, it can be set to a
higher value in the Objects.C file. If the policy is installed using the GUI the value in the GUI will
overwrite the value in the Objects.C file. If the policy will be installed from a command line with the GUI
closed, the value in the Objects.C file will be used.
2. Increase TCP timeout for a specific service
It is possible to set the timeout for a specific service. Make the following changes to the init.def file (
$FWDIR/lib ):
Add the line:
ADD_TCP_TIMEOUT(<port>,<timeout>)
before the line:
ADD_TCP_TIMEOUT(0,0)
.
port = TCP service port
timeout = Desired timeout.
3. Increase the value out of the TCP start time out (tcpstarttimeout) parameter
This workaround is for a situation where leaky NAT happens before the connection is established. When the
initiator sends the initial SYN packet, the TCP Start Timeout parameter is set in the objects.C file, Its