[c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions
Ivan Pepelnjak
ip at ioshints.info
Mon Jan 25 06:58:12 EST 2010
> The problem is that the session stays active. I want the session to be
> lost. I believe the rules should be adhered to a bit more strictly.
The session DOES NOT stay active. The phone is stupid. It should have realized there's no reply and restart the session.
> If the current matching nat statement would result in a different value
> for the inside global address, than a new translation should be called
> for.
>
> It isnt actually all that hard to check for, conceptually.
And then you'd complain about the CPU load. What do you think is cheaper: checking the NAT table or NAT rules (including route maps) for every packet?
> (What would you expect to happen when the DHCP client address changes on
> the egress interface? Or if you change the ip address on an interface
> referenced by the ip nat statement?)
You'd lose all sessions, obviously. What else would you expect?
> Apparently, the end stations dont change the source port for new
> attempts.
Proves my point. The phone is stupid ;) There's a reason every new client session should use a new dynamic port number.
> This behavior has very disruptive end user symptoms.
Many stupid implementations have disruptive end-user symptoms. Microsoft Network Load Balancing with unknown unicast MAC addresses immediately comes to mind ;)
Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info
More information about the cisco-nsp
mailing list