[c-nsp] CPE with tracking redundancy and long lived (UDP) nat sessions

[Joe Maimon]

Ivan Pepelnjak wrote:
>> The problem is that the session stays active. I want the session to be
>> lost. I believe the rules should be adhered to a bit more strictly.
>
> The session DOES NOT stay active. The phone is stupid. It should have realized there's no reply and restart the session.

With UDP and other stateless protocols "sessions", the router cannot 
tell that the phone thinks it is doing exactly that.

You can view this issue with ping -t from windows stations as well.

>
>> If the current matching nat statement would result in a different value
>> for the inside global address, than a new translation should be called
>> for.
>>
>> It isnt actually all that hard to check for, conceptually.
>
> And then you'd complain about the CPU load. What do you think is cheaper: checking the NAT table or NAT rules (including route maps) for every packet?

It would be nice if there were some happy medium somewhere that would 
not result in sessions that wont die and cant work.

>
>> (What would you expect to happen when the DHCP client address changes on
>> the egress interface? Or if you change the ip address on an interface
>> referenced by the ip nat statement?)
>
> You'd lose all sessions, obviously. What else would you expect?

Thats exactly what I would expect. So either there is some validation 
going on beyond matching existing sessions for the the nat sessions or 
the event of changing an interface address referenced in nat rules 
triggers cleanup. I suppose I should pay more attention the next time an 
opportunity to view this presents itself - it may very well not be the case.

>
>> Apparently, the end stations dont change the source port for new
>> attempts.
>
> Proves my point. The phone is stupid ;) There's a reason every new client session should use a new dynamic port number.

Is it a big surprise that IP handsets can have extremely shoddy stacks? 
How about traceroutes to phones that would have the remainder of the 
default 30 hops be the phone itself?

Voice competency and networking competency seem to have oil/water 
difficulties.

Most of these handsets can cost about as much as many new workstations do.

>
>> This behavior has very disruptive end user symptoms.
>
> Many stupid implementations have disruptive end-user symptoms. Microsoft Network Load Balancing with unknown unicast MAC addresses immediately comes to mind ;)
>
> Ivan Pepelnjak
> blog.ioshints.info / www.ioshints.info


So what is the bottom line? Is this the best that can be done with 
simple end site redundancy with object tracking and without dynamic routing?

Thanks for all your help.

Joe