Community discussions

 
TikUser
newbie
Topic Author
Posts: 47
Joined: Thu Jul 04, 2013 2:40 pm
Location: EU

Connection tracking - timeout values

Thu May 15, 2014 2:03 pm

I've done some research about timeout values in Connection Tracking.

ROS:
tcp-syn-sent-timeout (time; Default: 5s)
tcp-syn-received-timeout (time; Default: 5s)
tcp-established-timeout (time; Default: 1d)
tcp-fin-wait-timeout (time; Default: 10s)
tcp-close-wait-timeout (time; Default: 10s)
tcp-last-ack-timeout (time; Default: 10s)
tcp-time-wait-timeout (time; Default: 10s)
tcp-close-timeout (time; Default: 10s)

Linux (iptables, Vyatta,...):
close timeout = 10s
close-wait timeout = 60s
established timeout = 5 days
fin-wait timeout = 120s
last-ack timeout = 30s
syn-received timeout = 60s
syn-sent timeout = 120s
time-wait timeout = 120s

As you can see, Mikrotik values are pretty aggressive. So, what’s the catch? :D What does Mikrotik know and others don't?
Last edited by TikUser on Thu May 15, 2014 3:07 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2931
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Connection tracking - timeout values

Thu May 15, 2014 2:22 pm

Black = RouterOS
Blue = Linux (if your value are right)

tcp-close-timeout=10s | close timeout = 10s
tcp-close-wait-timeout=10s | close-wait timeout = 60s
tcp-established-timeout=1d | established timeout = 5 days
tcp-fin-wait-timeout=10s | fin-wait timeout = 120s
tcp-last-ack-timeout=10s | last-ack timeout = 30s
tcp-syn-received-timeout=5s | syn-received timeout = 60s
tcp-syn-sent-timeout=5s | syn-sent timeout = 120s
tcp-time-wait-timeout=10s | time-wait timeout = 120s

generic-timeout=10m | ?
icmp-timeout=10s | ?
udp-stream-timeout=3m | ?
udp-timeout=10s | ?

the catch?
for example 5 days one port still busy for one never closed connection?
if you have 2000 users on how many time you finish the available ports? (RouterOS use 32769-65534 interval for NAT)
I'm Italian, not English. Sorry for my imperfect grammar.
 
TikUser
newbie
Topic Author
Posts: 47
Joined: Thu Jul 04, 2013 2:40 pm
Location: EU

Re: Connection tracking - timeout values

Thu May 15, 2014 3:33 pm

Ok! I've found the linux values here and here. There you can also find the timeouts for udp and icmp.

I've noticed that Mikrotik timeout values are too small for my network. My ROS firewall is configured to drop invalid traffic (add action=drop chain=forward connection-state=invalid). So, sometimes ROS would drop valid traffic, because it’s no more in the connecting tracking table. It timeouted too early.
That's why I asked for the opinion of other Mikrotik users. :D
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2931
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Connection tracking - timeout values

Thu May 15, 2014 6:57 pm

Black = RouterOS
Blue = Linux (if your value are right)
Green = My opinion.

tcp-close-wait-timeout=10s | close-wait timeout = 60s
When is closed, is closed and is still closed, why wait more than 10 seconds?

tcp-established-timeout=1d | established timeout = 5 days
5 days??? One single connection? In my Gateway I lower this value to 6 hours.
If the PC or other devices forget to close the TCP connection, on gateway to 2000 users, you end the ports used for NAT...

tcp-syn-received-timeout=5s | syn-received timeout = 60s
tcp-syn-sent-timeout=5s | syn-sent timeout = 120s
60s ??? 120s ???? This is one way for help "DoS"...

tcp-last-ack-timeout=10s | last-ack timeout = 30s
similar....

tcp-fin-wait-timeout=10s | fin-wait timeout = 120s
tcp-time-wait-timeout=10s | time-wait timeout = 120s
How much the other end is slow??? 120s????

This are equal on both system
tcp-close-timeout=10s | close timeout = 10s
udp-stream-timeout=3m | 3m
udp-timeout=10s | 10s

icmp-timeout=10s | system conntrack timeout icmp 30s
30s for one icmp reply? What system wait for one ICMP packet with till 30 seconds delay???

generic-timeout=10m | ?
10m for a generic connection (non UDP, TCP or ICMP) are sufficents.
I'm Italian, not English. Sorry for my imperfect grammar.
 
TikUser
newbie
Topic Author
Posts: 47
Joined: Thu Jul 04, 2013 2:40 pm
Location: EU

Re: Connection tracking - timeout values

Thu May 15, 2014 7:05 pm

Thank you! After researching this topic, I came to the conclusion that some of the Mikrotik values are too small, and that some of the Linux values are too big for my network. I'm testing values that are between those ranges.
 
davidnvega
just joined
Posts: 18
Joined: Wed Aug 28, 2013 11:11 pm
Location: San Juan, Argentina
Contact:

Re: Connection tracking - timeout values

Wed Feb 18, 2015 1:16 am

Black = RouterOS
Blue = Linux (if your value are right)
Green = My opinion.

tcp-close-wait-timeout=10s | close-wait timeout = 60s
When is closed, is closed and is still closed, why wait more than 10 seconds?

tcp-established-timeout=1d | established timeout = 5 days
5 days??? One single connection? In my Gateway I lower this value to 6 hours.
If the PC or other devices forget to close the TCP connection, on gateway to 2000 users, you end the ports used for NAT...

tcp-syn-received-timeout=5s | syn-received timeout = 60s
tcp-syn-sent-timeout=5s | syn-sent timeout = 120s
60s ??? 120s ???? This is one way for help "DoS"...

tcp-last-ack-timeout=10s | last-ack timeout = 30s
similar....

tcp-fin-wait-timeout=10s | fin-wait timeout = 120s
tcp-time-wait-timeout=10s | time-wait timeout = 120s
How much the other end is slow??? 120s????

This are equal on both system
tcp-close-timeout=10s | close timeout = 10s
udp-stream-timeout=3m | 3m
udp-timeout=10s | 10s

icmp-timeout=10s | system conntrack timeout icmp 30s
30s for one icmp reply? What system wait for one ICMP packet with till 30 seconds delay???

generic-timeout=10m | ?
10m for a generic connection (non UDP, TCP or ICMP) are sufficents.
Thanks for all this information, it's really useful.

I'm having issues with a failover setting. I have a PCC load balance with recursive routing.

When a ISP fails, connections are still established by the fallen ISP. I need to set lower timeouts but i don't know what values should i modify and what is the risk of this modification. Can you help me?

Thanks!
Sorry for my English, I speak Spanish.
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Connection tracking - timeout values

Wed Feb 18, 2015 5:54 pm

Thanks for all this information, it's really useful.

I'm having issues with a failover setting. I have a PCC load balance with recursive routing.

When a ISP fails, connections are still established by the fallen ISP. I need to set lower timeouts but i don't know what values should i modify and what is the risk of this modification. Can you help me?

Thanks!

The problem that you are running into is that the router remembers where it sent a packet in the past and how id applied a NAT rule to it. The better solution is to clear out the connection tracking table for those specific packets so that it will apply the appropriate NAT rule to the session and communication can continue.

Something like this will do the trick in a script when the failover happens.
/ip firewall connection remove [find reply-dst-address~"^<PUBLIC IP OF WAN>"]

Who is online

Users browsing this forum: networknoob88 and 30 guests