vCNS/NSX Edge Firewall and NAT TCP Timeout Values
search cancel

vCNS/NSX Edge Firewall and NAT TCP Timeout Values

book

Article ID: 321374

calendar_today

Updated On:

Products

VMware NSX Networking VMware vSphere ESXi

Issue/Introduction

This article provides the description of the NAT default timeout and method to query and/or configure the firewall/NAT connection timeout using a Representational State Transfer (REST) APIs.

Environment

VMware vCloud Networking and Security 5.1.x
VMware vShield Edge 5.5.x
VMware NSX for vSphere 6.0.x
VMware vShield Edge 5.1.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.2.x
VMware vCloud Networking and Security 5.5.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x

Resolution

These tables provide the default values and configuration options depending on the supported API version:
 
API Versions
 
Release VersionAPI VersionConfiguration Persistence across Redeploy or Upgrade
vCNS 5.1.2 and earlierNot supported-
vCNS 5.1.3 and laterapi/3.0No
vCNS 5.5.1 and laterapi/3.0No
NSX for vSphere 6.0 and laterapi/4.0Yes
 
Default Values
 
Protocol/State(Version 3.0) Inactivity Timeout (seconds)(Version 4.0) Inactivity Timeout (seconds)
TCP Open (SYS-SENT, SYN-RCVD states)3030
TCP Established36003600
TCP Close (TIME-WAIT, FIN_WAIT states)2030
UDP3060
ICMP/ICMPv61010
All other protocols120120
 

Query/Configuration

The connection inactivity timeout settings can be queried and are configurable via the REST API during run time.
 
API/3.0
  • Query - Connection Inactivity Timeouts: Query operation is supported on this version
  • Configure - Connection Inactivity Timeouts: In API 3.0, connection inactivity timeouts can be configured through the systemcontrol section. Each of the listed parameters are optional. The configured parameters persist across Redeploy operation from vShield manager.
  • URL: /api/3.0/edges/{edgeId}/systemcontrol/config
  • Method: PUT
  • Input representation:

    <systemControl>
    <property>sysctl.net.netfilter.nf_conntrack_tcp_timeout_syn_sent=30</property>
    <property>sysctl.net.netfilter.nf_conntrack_tcp_timeout_syn_recv=30</property>
    <property>sysctl.net.netfilter.nf_conntrack_tcp_timeout_established=3600</property>
    <property>sysctl.net.netfilter.nf_conntrack_tcp_timeout_close=20</property>
    <property>sysctl.net.netfilter.nf_conntrack_tcp_timeout_close_wait=60</property>
    <property>sysctl.net.netfilter.nf_conntrack_tcp_timeout_fin_wait=20</property>
    <property>sysctl.net.netfilter.nf_conntrack_tcp_timeout_time_wait=20</property>
    <property>sysctl.net.netfilter.nf_conntrack_tcp_timeout_last_ack=30</property>
    <property>sysctl.net.netfilter.nf_conntrack_udp_timeout=30</property>
    <property>sysctl.net.netfilter.nf_conntrack_udp_timeout_stream=30</property>
    <property>sysctl.net.netfilter.nf_conntrack_icmp_timeout=10</property>
    <property>sysctl.net.netfilter.nf_conntrack_generic_timeout=120</property>
    </systemControl>
     
  • Output representation: None
  • HTTP Result Codes: 204 NO CONTENT

To use method GET, use syntax:

GET https://vsm-ip/api/3.0/edges/<edgeId>/firewall/config

API/4.0
 
Query Connection Inactivity Timeouts:
  • URL: /api/4.0/edges/{edgeId}/firewall/config/global
  • Method: GET
  • Input representation: No payload
  • Output representation:

    <globalConfig>...
    <tcpTimeoutOpen>30</tcpTimeoutOpen>
    <tcpTimeoutEstablished>3600</tcpTimeoutEstablished>
    <tcpTimeoutClose>30</tcpTimeoutClose>
    <udpTimeout>60</udpTimeout>
    <icmpTimeout>10</icmpTimeout>
    <icmp6Timeout>10</icmp6Timeout>
    <ipGenericTimeout>120</ipGenericTimeout>
    </globalConfig>
     
  • HTTP Result Codes: 200 OK
Configure Connection Inactivity Timeouts:
  • URL : api/4.0/edges/{edgeId}/firewall/config/global
  • Method: PUT
  • Input representation:

    <globalConfig> ...
    <tcpTimeoutOpen>30</tcpTimeoutOpen>
    <tcpTimeoutEstablished>3600</tcpTimeoutEstablished>
    <tcpTimeoutClose>30</tcpTimeoutClose>
    <udpTimeout>60</udpTimeout>
    <icmpTimeout>10</icmpTimeout>
    <icmp6Timeout>10</icmp6Timeout>
    <ipGenericTimeout>120</ipGenericTimeout>
    ...
    </globalConfig>
     
  • Output representation: No Payload
  • HTTP Result Codes: 204 NO CONTENT

Note:

  • You cannot disable the TCP Session Timeout value.
  • The maximum TCP Session Timeout value that can be set is 2^32 -1 seconds.
  • Starting with VMware NSX for vSphere 6.2.3, the default TCP Established Timeout has been increased from 3600 to 21600.
 


Additional Information

For more information about configuring firewall rules or NAT in vShield Manager, see the vShield Administration Guide.
 
For more information about the REST API, see: vCNS/NSX Edge のファイアウォール TCP のタイムアウト値
vCNS/NSX Edge 防火墙 TCP 超时值

Powered by Wolken Software