NAT Timeout Variations

Just a quick note on the varying state of NAT timeouts as used by different vendors.

RFC1122 states the below regarding TCP keep-alives as programmatically designed:

Keep-alive packets MUST only be sent when no data or acknowledgement packets have been received for the connection within an interval. This interval MUST be configurable and MUST default to no less than two hours.

RFC5382 states the below about NAT keeping RFC1122 in mind:

If a NAT cannot determine whether the endpoints of a TCP connection are active, it MAY abandon the session if it has been idle for some time. In such cases, the value of the “established connection idle-timeout” MUST NOT be less than 2 hours 4 minutes. The value of the “transitory connection idle-timeout” MUST NOT be less than 4 minutes.

 

Keeping this in mind there is a huge difference between vendor implementations as a default value. NOTE that this is just using a quick browse of the net for specific references, so some may be old/updated etc.

  • RFC: 7440 sec (2 hours 4 mins)
  • Cisco IOS: 86400 sec (24 hours)
  • Cisco ASA: 10800 sec (3 hours)
  • A10 (Carrier Grade): 300 sec (5 mins)
  • Brocade ServerIron ADX: 120 sec (2 mins)
  • Netgear FVS318: 600 sec (10 mins)
  • Netgear FVS336Gv2: 1200 sec (20 mins)
  • D-Link DIR-615: 7800 sec (2 hours 10 mins)
  • DD-WRT: 3600 (1 hour)

Leave a Reply

Your email address will not be published. Required fields are marked *