[j-nsp] Netscreen NAT and TCP window scaling issues

Thu Mar 11 19:29:07 EST 2010

I have a client sitting behind a netscreen firewall that is seeing a 
delay when trying to connect via tcp to a server on the internet while 
being natted to the netscreens external IP and TCP window scaling is 
enabled. If I create a one-to-one nat mapping specifically for the 
client the connection is instant.

Here is the tcpdump on the server when the client tries to connect while 
being natted to the netscreens external IP with TCP window scaling enabled

16:23:08.847308 IP x.x.x.x.42852 > y.y.y.177.22: S 
3899166006:3899166006(0) win 65535 <mss 1380,nop,wscale 
3,nop,nop,timestamp 153981609 0,sackOK,eol>
16:23:09.755649 IP x.x.x.x.42852 > y.y.y.177.22: S 
3899166006:3899166006(0) win 65535 <mss 1380,nop,wscale 
3,nop,nop,timestamp 153981618 0,sackOK,eol>
16:23:10.756198 IP x.x.x.x.42852 > y.y.y.177.22: S 
3899166006:3899166006(0) win 65535 <mss 1380,nop,wscale 
3,nop,nop,timestamp 153981628 0,sackOK,eol>
16:23:11.756782 IP x.x.x.x.42852 > y.y.y.177.22: S 
3899166006:3899166006(0) win 65535 <mss 1380,nop,wscale 
3,nop,nop,timestamp 153981638 0,sackOK,eol>
16:23:12.757413 IP x.x.x.x.42852 > y.y.y.177.22: S 
3899166006:3899166006(0) win 65535 <mss 1380,nop,wscale 
3,nop,nop,timestamp 153981648 0,sackOK,eol>
16:23:13.758127 IP x.x.x.x.42852 > y.y.y.177.22: S 
3899166006:3899166006(0) win 65535 <mss 1380,nop,wscale 
3,nop,nop,timestamp 153981658 0,sackOK,eol>
16:23:15.759429 IP x.x.x.x.42852 > y.y.y.177.22: S 
3899166006:3899166006(0) win 65535 <mss 1380,nop,wscale 
3,nop,nop,timestamp 153981678 0,sackOK,eol>
16:23:19.762105 IP x.x.x.x.42852 > y.y.y.177.22: S 
3899166006:3899166006(0) win 65535 <mss 1380,sackOK,eol>
16:23:19.762130 IP y.y.y.177.22 > x.x.x.x.42852: S 
4286889391:4286889391(0) ack 3899166007 win 5840 <mss 1460>

Here is the tcpdump on the server when the client tries to connect while 
a one-to-one nat is in place with TCP window scaling enabled

17:51:42.373439 IP x.x.x.x.49165 > y.y.y.177.22: S 
1731332088:1731332088(0) win 65535 <mss 1380,nop,wscale 
3,nop,nop,timestamp 409029697 0,sackOK,eol>
17:51:42.438272 IP y.y.y.177.22 > x.x.x.49165: S 
1297584268:1297584268(0) ack 1731332089 win 5792 <mss 
1460,nop,nop,timestamp 1704280650 409029697,nop,wscale 9>

When the client is being natted to the netscreens public IP we see the 
SYN makes it to the server, but the server ignores the SYN if the TCP 
window scale option is set. As soon as the client leaves the window 
scale option unset the server responds with a SYN-ACK. So it appears 
there is an issue with window scaling and we verified that disabling 
window scaling on the client resulted in instant connection. With that 
being said, we also saw that connections were not delayed if windows 
scaling was enabled and the client had a one-to-one mapping on the 
netscreen. Any ideas on why there is an issue with window scaling and 
one-to-many nat mappings?