This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Timeout of the IP NAT Table

Hello,

We are suspecting a problem of saturation with the NAT Table (masquerading).

To solve similar problem (the 65k entries of the table are filled in less than 15 minutes), we just reduced the Timeout of the NAT Table to 5 minutes (on a Cisco router).

 

How can I set this parameter in a Sophos SG ?

And, where can I display this NAT Table (I could not find it) ?

 

Thanks in advance for your help.



This thread was automatically locked due to age.
  • Salut,

    You can see the timeouts with the following:

    # cc get packetfilter timeouts

    Change a setting, for example:

    # cc set packetfilter timeouts ip_conntrack_generic_timeout 300

    A list of active connections is at /proc/net/ip_conntrack.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    Thanks for this answer !

    Yes, that is the information I looked for.

     

    But, which parameter do I need to modify to reduce the amount of entries in the table ?

    ip_conntrack_generic_timeout  ?
    ip_conntrack_tcp_timeout_close_wait  ?
    ip_conntrack_tcp_timeout_established  ?
    other ??

  • My guess is the example I gave above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA