Nikolaus Rath wrote:
> Pascal Hambourg writes:
> > Nikolaus Rath a écrit :
> > It appears that the client has a private addresse and the server has a
> > public address. So I guess that there is a NAT device between them, and
> > its stateful NAT engine may be the cause of the problem, by deleting
> > connections from its translation table after a delay of inactivity.
I have seen (and discarded) cheap consumer router boxes that had just
that problem.
> Yes, just tried it. The server does not receive anything at all when the
> client starts retransmitting. I guess that is consistent with the NAT
> explanation?
I think it is very plausible.
> Yes, I guess your NAT theory makes sense. If I use ssh with
> "ServerAliveInterval", or force libkeepalive use with LD_PRELOAD, the
> connections survive beyond 302 seconds.
>
> However, unfortunately this isn't a good solution, because I have
> non-Linux devices in the same network that suffer from the same problem.
I immediately think there is a cheap consumer router in the middle
that you could replace and solve the problem. Or perhaps look for a
firmware upgrade. I have a Netgear that originally worked okay for
everything except VOIP just would not work. Six months later a
firmware upgrade was available and I installed it and magically all of
my VOIP problems disappeared. For example.
> Is there a way to figure out at which device the NAT timeout
> happens?
How many NAT'ing devices do you have in series?
> I have a Cisco DPC3825 cable modem that does NAT.
Any others?
> But it has just 4 Ethernet connections and WLAN, so I have a hard
> time believing that it would need to force a 5 min timeout.
It doesn't *need* to do it. But something is doing it.
> The web administration page also doesn't mention any timeouts (which
> may of course mean nothing). Is it possible that there's a second
> NAT at work behind the modem?
You can daisy-chain NAT devices. So if you ask a question like "is it
possible" then the answer must be yes. Yes it is possible. So
frankly those types of questions are not useful to ask because the
answer is always yes. But if so then you would see it there on the
table with the wires attaching you to the Internet. If you don't see
it then it isn't there. It is your network. Only you will know what
is on your network.
I would plug yourself directly into the Cisco. (In case you were
plugged into a switch or other network further downstream.) Plug
directly into the cable modem. Then you will be as far upstream as
possible. Does the problem persist? If you are plugged directly into
the cable modem and there are no other devices between you and the
internet then there are no other NAT devices and the problem would be
in your Cisco cable modem.
My Cisco DSL modem runs Cisco's CBOS and allows me to inspect the
state of the NAT tables. The device has timers but on my modem are
only counting down for UDP connections.
The typical consumer would never run into the problem of persistent
TCP connections dropping. Because AFAICS most users only surf the web
and stream videos. Neither of those have idle connections. Therefore
a firmware bug may go a long time until it someone like you debugs
it. Check to see if the Cisco has newer firmware available for it.
If so I would update the firmware and then see if the problem changes.
If you are asking for ways to tell if something does NAT then let me
say that every NAT interface will have a different subnet on the
private NAT LAN side from the public WAN side. So you can use the
existence of IP address subnet numbers to map if something is doing
NAT or not.
Here is a text picture that people reading on a web browser won't be
able to understand because a web browser's proprotional spaced fonts
will not be monospaced and it will be garbage. But on an email mail
user agent it should be okay.
Internet
|
192.0.43.10
+--------------+
| some nat box |
+--------------+
10.0.0.1
^
|
v
10.0.0.100
+--------------+
| some nat box |
+--------------+
192.168.1.1
^
|
v
+----------------+
| network switch |
+----------------+
^ ^ ^
| | v
| v
v
192.168.1.100
+-------------------+
| gnu/linux machine |
+-------------------+
As you can see every NAT device will have a different subnet on each
side of the box. The above diagrag illustrates two NAT devices
daisy-chained with different subnets on each. But a network switch
will be transparent with the a subnet propagated and shared through
it.
Hope that helps,
Bob
Attachment:
signature.asc
Description: Digital signature