Ivan Pepelnjak wrote:
The problem is that the session stays active. I want the session to be
lost. I believe the rules should be adhered to a bit more strictly.
The session DOES NOT stay active. The phone is stupid. It should have realized
there's no reply and restart the session.
With UDP and other stateless protocols "sessions", the router cannot
tell that the phone thinks it is doing exactly that.
You can view this issue with ping -t from windows stations as well.
If the current matching nat statement would result in a different value
for the inside global address, than a new translation should be called
for.
It isnt actually all that hard to check for, conceptually.
And then you'd complain about the CPU load. What do you think is cheaper:
checking the NAT table or NAT rules (including route maps) for every packet?
It would be nice if there were some happy medium somewhere that would
not result in sessions that wont die and cant work.
(What would you expect to happen when the DHCP client address changes on
the egress interface? Or if you change the ip address on an interface
referenced by the ip nat statement?)
You'd lose all sessions, obviously. What else would you expect?
Thats exactly what I would expect. So either there is some validation
going on beyond matching existing sessions for the the nat sessions or
the event of changing an interface address referenced in nat rules
triggers cleanup. I suppose I should pay more attention the next time an
opportunity to view this presents itself - it may very well not be the case.
Apparently, the end stations dont change the source port for new
attempts.
Proves my point. The phone is stupid ;) There's a reason every new client
session should use a new dynamic port number.
Is it a big surprise that IP handsets can have extremely shoddy stacks?
How about traceroutes to phones that would have the remainder of the
default 30 hops be the phone itself?
Voice competency and networking competency seem to have oil/water
difficulties.
Most of these handsets can cost about as much as many new workstations do.
This behavior has very disruptive end user symptoms.
Many stupid implementations have disruptive end-user symptoms. Microsoft
Network Load Balancing with unknown unicast MAC addresses immediately comes to
mind ;)
Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info
So what is the bottom line? Is this the best that can be done with
simple end site redundancy with object tracking and without dynamic routing?
Thanks for all your help.
Joe
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
