Connection Tracking - Field Explanation

I’ve seen several posts regarding recommended settings, but nothing that explains exactly what these fields represent. For example, here is a snippet from the Manual regarding UDP settings:
udp-timeout (time; Default: 10s) Specifies the timeout for udp connections that has seen packets in one direction
udp-stream-timeout (time; Default: 3m) Specifies the timeout of udp connections that has seen packets in both directions

Does the udp-timeout field mean that the connection will close if nothing is seen for 10s, or does it close the connection after 10s regardless of activity? When would this be used? (example: keep-alives? SIP registration ?)
Does the udp-stream-timeout mean that the connection will close if nothing is seen coming both directions (one way traffic only) after 3m, or will it close it regardless of activity after 3m ?

I’m attempting to troubleshoot a SIP registration issue and I’m concerned that I’m misunderstanding the UDP timers. I’ve implemented them as follows:
udp-timeout 00:45:10
udp-stream-timeout 00:30:00

I set these up with the understanding that the connection/port will be closed after 45 minutes (allowing for keep alives to be sent to/from the SIP device for up to 45 minutes) and I’m not entirely sure why I set the stream-timeout that way. Am I thinking of these correctly, or am I over thinking them?

They are timeouts when no further packets are seen. Usually (with 2 way communication) the router would remove the UDP connection from the state table after the (default) 3 minutes of inactivity. With your new setting this would happen after 30 minutes. Beware of filling the connection table with entries that are no longer valid.

Imagine what happens at the beginning of a UDP exchange - one endpoint sends a packet to the other endpoint. If the connection-tracking engine sees a packet in the opposite direction within udp-timeout (those 10 s by default), it considers the “session” (or stream, but it is also an imprecise name) established. From that moment on, it is sufficient if a packet is sent in either direction before udp-stream-timeout (180 s by default) expires.

So with your setting where udp-timeout is 45’10" but udp-stream-timeout is only 30’, the initial REGISTER can be responded before 45’10" and still be considered part of the tracked connection, but once the response comes, the INVITE must come in less than 30’ otherwise the it is not considered part of that connection (and thus will be likely dropped) - unless a re-REGISTER comes in less than 30’ which restarts the udp-stream-timeout.

If you activate (and configure for the right port) the SIP ALG and NAT is not used, the default values for UDP are replaced with individual ones for SIP if the registration succeeds, which means that the (equivalent of) udp-stream-timer becomes 60 minutes (by default, it is also configurable). If the REGISTER does not succeed, either udp-timeout or udp-stream-timeout takes over, depending whether the non-responded REGISTER was an initial one or a repeated one. But with NAT in use, the ALG helps phones on the private side, but is unable to help PBXes.

I disabled SIP ALG/helper based on experience of common practice on other firewalls (it’s only ever caused issues for me).

I’ve been running through several tests: Changing the udp-timeout but leaving the udp-stream-timeout at 3M default
I attempted 2m yesterday, but the registration aged.
I am working on 1m today to see if the registration lasts longer.


Am I testing the right setting, or should I be focusing on the stream timeout?

That is often helpful but with Mikrotik I haven’t seen any trouble if you don’t ask it for more than what it is good for (which is handling of phones on the private side of a NAT when talking to a server on the public side of the NAT).

I’ve been running through several tests: Changing the udp-timeout but leaving the udp-stream-timeout at 3M default
I attempted 2m yesterday, but the registration aged.
I am working on 1m today to see if the registration lasts longer.

Well, does the registration age or the pinhole (the tracked connection in Mikrotik’s firewall) age? With the SIP “service” disabled on Mikrotik, the SIP messages pass through without modification, so if you have in mind that you register a phone and you are unable to make it ring after a couple of minutes, it is usually because the pinhole (tracked connection) has aged. So check what is the registration period set on the phone, set the udp-stream-timeout at Mikrotik to that value+10 seconds (although a typical phone will actually re-register after half of the configured registration time), and keep the udp-timeout at the default 10 s and you should be good. As I’ve written - the udp-timeout is only relevant for the first response of the server, from then on the udp-stream-timeout takes over, no matter which one of the two is longer.

There is one caveat, some SIP servers reject too short registration times and restrict too long ones, so what you have configured on the phone may not be what you finally get, so either use Wireshark to see what the phone and the registrar have settled on, or use phone’s management interface to see the result.

In this instance, I am using a SPA112 device on the private side of the Mikrotik. The default setting in the device show 3600 for registration. That’s 1 hour. I have set the udp-stream-timeout to 01:00:10 in accordance with what you wrote. However, I am still seeing the registration on this device age out.

I see the connection open in the tracker, but I see no packets going back and forth. At this point, I’m thinking this is now an issue on the SIP proxy server side. They are expecting keep alives, and I’m not sending them because of the default setting of 3600

What exactly does this mean? Is the device complaining about registration aging, or does the proxy server (actually, it would have to be the registrar) complain about anything?

I see the connection open in the tracker, but I see no packets going back and forth. At this point, I’m thinking this is now an issue on the SIP proxy server side. They are expecting keep alives, and I’m not sending them because of the default setting of 3600

It seems to me you are missing some significant point somewhere.
Leaving SIP aside: with UDP, the firewall cannot extract any information regarding the state of the “connection” from the contents of the packets because UDP itself does not support any idea of “connection” or “session” like TCP does. So the only criteria which the firewall can use to determine whether the connection is alive or not is whether packets are flowing or not. Therefore, after the first pair of packets passes, each in another direction, any further packet restarts the udp-stream-timeout timer. So in another words, the firewall drops the context of the connection udp-stream-timeout seconds after the last packet seen, or in yet another words, it drops the context of the connection if the gap between two subsequent packets of the connection (in any direction) is larger than udp-stream-timeout seconds.

This fact is the reason why keepalive packets are used - something must be sent every “less than udp-stream-timeout” so that the firewall would maintain the context and let the packets from the public side to the protected side get through. Once the context is dropped (aka connection closed at the firewall), eventual further member packets of that UDP “connection” which come from the public side are dropped. Eventual packets coming from the private side create a brand new connection from the perspective of the firewall.

The SIP helper, among other things, extracts the information regarding SIP registration state from the payload of the UDP packets, and modifies the udp-stream-timeout of that particular UDP connection to the value sourced from its own configuration if the registration succeeds. Therefore, the connection context is maintained for that time. The helper does not parse the registration response for the actual duration of the registration, so if it is longer that the timeout in the helper’s configuration, the connection context is dropped although the registration is still valid.

So the SIP servers normally do not “expect” keepalives to come. Depending on the vendor’s creativity, they may leave the responsibility of keeping the firewall context alive on the client and tolerate the keepalives sent by the client, or they may limit the registration duration to less than 3 minutes so that the clients would re-register (some firewalls only extend the context life if the first packet of a close pair went from the protected side to the public one), or they may send a message not changing the client state (usually OPTIONS) to yield an answer from the client. Some compare the IP in Contact in the REGISTER with the source address of the packet, and only send OPTIONS or reduce registration validity if they differ, assuming that a difference means that the client is behind a NAT which is not SIP-aware while same address at both places means that either the client is at public address or it is behind a SIP-aware NAT so no keepalives are necessary.

So the behaviour you observe is perfectly right from my perspective - the client registers for an hour, and as you haven’t asked it to send keepalives and as the SIP server doesn’t care of that either, there is no reason why any packets should be seen in the connection until either the client re-registers or until a call is initiated in either direction.

So if your Mikrotik shows that the connection is still alive but when you call your phone and the phone does not ring and the packet counter of the connection does not increment, the problem is not the connection tracking but something else.

If you can call your phone within, say, first 60 seconds after registration but not after, say, 10 minutes, there is likely some other firewall between you and the SIP server which is responsible for that.

If you cannot call the phone even within the first ~60 seconds after registration, the SIP server is probably unable (or not configured) to handle client-side, non-SIP-aware NAT.