Re: Port problem|
Olaf Titz <olaf,AT,bigred,DOT,inka,DOT,de>|
Mon, 26 Feb 2001 21:19:56 +0100|
> However, I found that after some time of connection (after few minutes
> (30-120) of inactivity usually), the destination port of packets sent by
> is not the destination port I put in the options file. I use 12501 and 12502
> as ports on each site. Packets should always be directed to port 12001 or
> 12002 depending on which site we are. The firewall filtering scheme is based
> on this. WHen packets are sent by cipe to another destination port, it is
> allowed to get out or to come in and the connection is lost.
> What's the problem with that ? Why would cipe try to change its ports like
> this ?
I think it's your NAT which changes the ports. Dynamic NATs for UDP
have a timeout and consider the association dead after some period of
inactivity. This is because the NAT is not able to detect when one
side of the association  goes down, so it would pile up unneeded
associations and soon overflow its memory (when the client side of a
usual client/server setup restarts, it uses another port).
You should either set this timeout as high as possible, or
(preferrably) configure the NAT to treat the ports you use for CIPE as
 which is not really a _connection_, this is the heart of the matter.