IX. NAT Related Features
ExpiredConfiguring NAT Session Timeout Settings
Network Address Translation is utilised by almost all routers so that they can share one public Internet Protocol (IP) Address between many LAN devices which have private local IP Addresses. When a local machine sends a request out to the Internet the router translates the Source IP Address to the routers Public IP Address and then stores an entry in the NAT Session table so that it can keep track of, and route the reply traffic back to the correct internal destination.
Each DrayTek Vigor router typically supports a significant number of NAT sessions at once (For example the Vigor 2862 supports 60,000 sessions) but on a busy enough network, the NAT sessions need to be managed, clearing old sessions to ensure that there are always free NAT sessions avaiable to service new requests. If the NAT session pool is exhausted then no new sessions could be created and access to the Internet would stop until a session becomes free.
DrayTek Vigor routers manage NAT sessions by opening and closing sessions as requested by clients, however it also monitors which sessions are "idle" or inactive, to manage sessions that are not closed off correctly by the client software (for example if the machine is powered off suddenly). When a session is detected as idle, the router will automatically clear that inactive session.
Each session is grouped into one of the categories shown in the table below, based on the protocol it uses.
Session Type | Default Timeout | Description |
---|---|---|
TCP WWW | 60 Seconds | Sessions detected as HTTP or HTTPS traffic |
TCP SYN | 60 Seconds | TCP Sessions which are in the SYN state of the TCP 3 way handshake used to control and manage TCP sessions |
TCP | 86400 Seconds - 1 Day | All TCP sessions in states other than TCP SYN or which are not classified as TCP WWW |
UDP | 180 Seconds - 3 Minutes | UDP Sessions are used for real time or program specific data, typically Online Games and Voice over IP data |
ICMP | 10 Seconds | Sessions used for the purposes of measuring network latency / reliability in Pings and Trace routes |
Managing NAT and Voice over IP
In some networks, especially where Voice over IP is in use, this idle session clearing can cause unexpected behaviour - specifically UDP Sessions which are used by the SIP protocol.
SIP sessions (UDP port 5060) can be cleared from the router if these sessions are inactive, resulting in a situation where IP phones and PBX systems connected to the router can make outgoing calls, but incoming calls are sometimes not received.
When an IP Phone or PBX system registers with its remote SIP server, this creates an active UDP Session for the client (IP Phone, PBX) & server (remote PBX or SIP Provider), to communicate and control the making and receiving of calls. Without this session in place, when the SIP provider sends a VoIP call to the router's Internet IP, the router can not know where or which phone to forward the SIP Invite packets to, resulting in the IP Phone or PBX system simply not receiving the call.
This is because the IP Phone / PBX System's SIP Registration has its own lifetime which is renewed periodically and when making outbound calls.
If the SIP Registration interval exceeds the DrayTek router's default UDP Session Timeout of 180 seconds and the SIP account remains idle during that time, the router will clear that SIP session as an idle UDP session.
This can be avoided when configuring the IP phone handset or PBX system by enabling UDP Keep Alive in the phone's settings, which periodically sends a single packet to keep that session active:
Configuring Idle Session Timeout Values
Where that's not possible, it can be necessary to increase the router's UDP Timeout value from its default of 180 seconds to a value exceeding the SIP Registration's Expiry time.
For instance with a SIP phone with a SIP Registration Expire Time of 3600 Seconds (1 hour), increasing the router's UDP Idle Session Timeout to 3660 Seconds would avoid the risk of SIP registrations being closed by the router, if the SIP session remains inactive during that time.
Some Internet services such as Google's QUIC (Quick UDP Internet Connections) protocol use UDP protocol for Youtube / Internet traffic. An excessively high UDP session timeout value could result in the router exhausting its available NAT sessions.
These are managed on the router through the "portmaptime" CLI command, which can be accessed using a CLI client or from the Web Console as shown in the image below - access the router's web user interface and click on the "sliders" icon in the upper right to open the web console:
To view the current state of the router's NAT session timeout values, enter "portmaptime -l" and press Enter, which will display the current values:
To change the UDP session timeout value, type in "portmaptime -u <number>" and press Enter to change the setting:
View the updated timeout value by entering the "portmaptime -l" command again:
How do you rate this article?
- First Published: 05/09/2018
- Last Updated: 22/04/2021