[c-nsp] help on NAT rate limiting

Daniel Hagerty hag at linnaean.org
Wed Dec 29 17:05:18 EST 2004


[ Apologies in advance. ]

 > From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
 > Date: Wed, 29 Dec 2004 02:33:18 -0800

    I do not appreciate you putting words in my mouth as you did, on a
public mailing list no less.  Polite people apologize for such
behavior.  You said you couldn't understand any reasons for the
"absurd" default, and I gave you some.

    I'm pretty sure that the TCP session timeout defaulted to 24
hours, with teardown mitigitation.  I can personally speak for as far
back as early 12.2, if not 12.1.  So while I don't necesarily advocate
that the entire internet should use a 24 hour tcp timer (I never said
that I did), those of you with cisco based nats already are.  How do
you explain those TCP sessions on your 12.2 boxes with 24 hour
connection timers on them?

> Yeah, right, uhuh.  Please tell us what other commercial NAT device
> you have done that with.  I've worked with NAT long before Cisco

    The last time I had to do this, they were little 1U blue boxes
with a "cisco" label on them.  The more ghetto nat (open source box)
I'm typing through now has an out of the box default of 5 days on
tcp session timers.

    I dimly remember upping timers on boxes from 24 to 72 hours at the
request of myself and two other (ab)users at the site in question who
tended to have the similar usage of disabling keepalives for some
connections.  Nothing even approaching memory pressure under what
would have been 12.2.x and probably pixos late 5 something.  I know
for sure that they were garbage collecting normally terminated TCP
connections.  Not counting your worm traffic, I would guess the load
being moved was similar to the particular case you're having problems
with.


More information about the cisco-nsp mailing list