GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Control » maximum number of nat sessions?
maximum number of nat sessions? [message #140012] Wed, 30 May 2018 17:35 Go to next message
ipsys is currently offline  ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
as per the description, what is the maximum number of nat sessions for NG500?


https://image.ibb.co/fO7CTJ/Screen_Shot_2018_05_30_at_3_33_49_pm.png

Report message to a moderator

Re: maximum number of nat sessions? [message #140018 is a reply to message #140012] Wed, 30 May 2018 17:59 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
The max number of NAT port allocations is the same for all installation types of Kerio Control. In the configuration file "winroute.cfg" there is a table for "NAT" that defines the default range. It's 32768 through 65534. Ports get freed up when the connection is closed or times out.
Make sure you have not increased the connection limits (in Security Settings). Actually you may consider lowering them. Check the Active Hosts to see if you have any systems which are consuming a lot of connections.
If you want to modify the DynamicPortsRangeStart from 32768 to something lower, you can edit the configuration using the instructions in this topic: https://manuals.gfi.com/en/kerio/control/content/server-conf iguration-kerio-control/modifying-parameters-in-kerio-contro l-configuration-1745.html

Brian Carmichael
Instructional Content Architect

Report message to a moderator

Re: maximum number of nat sessions? [message #140020 is a reply to message #140018] Wed, 30 May 2018 19:16 Go to previous messageGo to next message
ipsys is currently offline  ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
thankyou, please can i know why the connections are not being closed?

https://preview.ibb.co/cbMCdJ/Screen_Shot_2018_05_30_at_4_15_38_pm.png

as you can see one host has 600,000+ connections. far greater than the 32,768 available to the nat?

also, as a result, i have enabled the security settings to limit the number of connections to 30,000, however, i see its possible to pass this?

https://image.ibb.co/dXfkXd/Screen_Shot_2018_05_30_at_5_05_38_pm.png


https://preview.ibb.co/dtYiJJ/Screen_Shot_2018_05_30_at_5_06_43_pm.png

Report message to a moderator

Re: maximum number of nat sessions? [message #140021 is a reply to message #140020] Wed, 30 May 2018 20:08 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
Kerio Control uses port preserving when possible. So for certain types of connections it's not necessary to translate the source port. But keep in mind that the NAT port range is a separate configuration from the connection limit, however a relaxed connection limit policy like you have can cause the NAT port allocation to become exhausted.

The default value for max connections from an IP address is 600, which is much lower than the value you've set. Considering that you have hosts with much higher than the limit, I guess these hosts belong to an IP address group which is excluded from the limit.
In a normal environment, a host should only use up to a few hundred connections. It seems though your environment is unusual as you have many hosts on your network that consume an excessive amount of connections.

Brian Carmichael
Instructional Content Architect

Report message to a moderator

Re: maximum number of nat sessions? [message #140022 is a reply to message #140021] Wed, 30 May 2018 20:11 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
I forgot to mention that you can see the age and timeout of connections by clicking in the column header of the connection view and choosing to enable those columns.

Brian Carmichael
Instructional Content Architect

Report message to a moderator

Re: maximum number of nat sessions? [message #140023 is a reply to message #140022] Wed, 30 May 2018 20:26 Go to previous messageGo to next message
ipsys is currently offline  ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
but if the connection limit is set to 30,000, it shouldnt be possible to pass this value?

this guy is only continuously incrementing.. am i missing something .. ??

https://preview.ibb.co/bYq0iJ/Screen_Shot_2018_05_30_at_6_22_17_pm.png

Report message to a moderator

Re: maximum number of nat sessions? [message #140025 is a reply to message #140023] Wed, 30 May 2018 21:19 Go to previous messageGo to next message
Kerio/GFI Brian is currently offline  Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California
Probably those hosts belong to an exceptions list defined in the connection limit feature.

Brian Carmichael
Instructional Content Architect

Report message to a moderator

Re: maximum number of nat sessions? [message #140052 is a reply to message #140025] Fri, 01 June 2018 16:49 Go to previous message
ipsys is currently offline  ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
actually at the time of writing, there were no exceptions. my screenshot above of the security settings were the only security settings that were enabled. i set the limit as high as i did because under the client list, i was seeing 80,000+ connections. as it turns out, this number doesnt appear to be correct because when i click on the connections tab it only reports up to 1211 'items' (you can see this in my screenshots above). it gives a false sense of the real situation with this number only incrementing. also, under 'active connections' it never passed some 5x,xxx items. it does look like this limitation is global - its to say that if i have many public ip, using nat and load balancing, i still encounter this problem.

since this problem surfaced, i have gone back to routing our network through the kerio to another device, as we didnt have this problem before we start to use the nat on the kerio; we were hoping to remove a hop.

but thankyou very much for your help. what i have also done (as i was never aware of this limitation of nat - this is my first time to hit this wall (or even get close to it)) is to nat some clients via a port in the kerio and put the bulk of the traffic to the other device. this will only buy some time as the number of hosts in our network increases.

Report message to a moderator

Previous Topic: 9.2.5 patch2 released
Next Topic: Access to KERIO web resources from Russian Internet
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Tue Sep 26 05:25:38 CEST 2023

Total time taken to generate the page: 0.06089 seconds
.:: Contact :: Home :: Acceptable Use Policy ::.

Powered by: FUDforum 3.0.9.
Copyright ©2001-2022 FUDforum Bulletin Board Software