Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » maximum number of nat sessions?
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
as per the description, what is the maximum number of nat sessions for NG500?


https://image.ibb.co/fO7CTJ/Screen_Shot_2018_05_30_at_3_33_49_pm.png
  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
The max number of NAT port allocations is the same for all installation types of Kerio Control. In the configuration file "winroute.cfg" there is a table for "NAT" that defines the default range. It's 32768 through 65534. Ports get freed up when the connection is closed or times out.
Make sure you have not increased the connection limits (in Security Settings). Actually you may consider lowering them. Check the Active Hosts to see if you have any systems which are consuming a lot of connections.
If you want to modify the DynamicPortsRangeStart from 32768 to something lower, you can edit the configuration using the instructions in this topic: https://manuals.gfi.com/en/kerio/control/content/server-conf iguration-kerio-control/modifying-parameters-in-kerio-contro l-configuration-1745.html

Brian Carmichael
Instructional Content Architect
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
thankyou, please can i know why the connections are not being closed?

https://preview.ibb.co/cbMCdJ/Screen_Shot_2018_05_30_at_4_15_38_pm.png

as you can see one host has 600,000+ connections. far greater than the 32,768 available to the nat?

also, as a result, i have enabled the security settings to limit the number of connections to 30,000, however, i see its possible to pass this?

https://image.ibb.co/dXfkXd/Screen_Shot_2018_05_30_at_5_05_38_pm.png


https://preview.ibb.co/dtYiJJ/Screen_Shot_2018_05_30_at_5_06_43_pm.png



  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
Kerio Control uses port preserving when possible. So for certain types of connections it's not necessary to translate the source port. But keep in mind that the NAT port range is a separate configuration from the connection limit, however a relaxed connection limit policy like you have can cause the NAT port allocation to become exhausted.

The default value for max connections from an IP address is 600, which is much lower than the value you've set. Considering that you have hosts with much higher than the limit, I guess these hosts belong to an IP address group which is excluded from the limit.
In a normal environment, a host should only use up to a few hundred connections. It seems though your environment is unusual as you have many hosts on your network that consume an excessive amount of connections.

Brian Carmichael
Instructional Content Architect
  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
I forgot to mention that you can see the age and timeout of connections by clicking in the column header of the connection view and choosing to enable those columns.

Brian Carmichael
Instructional Content Architect
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
but if the connection limit is set to 30,000, it shouldnt be possible to pass this value?

this guy is only continuously incrementing.. am i missing something .. ??

https://preview.ibb.co/bYq0iJ/Screen_Shot_2018_05_30_at_6_22_17_pm.png
  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
Probably those hosts belong to an exceptions list defined in the connection limit feature.

Brian Carmichael
Instructional Content Architect
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
actually at the time of writing, there were no exceptions. my screenshot above of the security settings were the only security settings that were enabled. i set the limit as high as i did because under the client list, i was seeing 80,000+ connections. as it turns out, this number doesnt appear to be correct because when i click on the connections tab it only reports up to 1211 'items' (you can see this in my screenshots above). it gives a false sense of the real situation with this number only incrementing. also, under 'active connections' it never passed some 5x,xxx items. it does look like this limitation is global - its to say that if i have many public ip, using nat and load balancing, i still encounter this problem.

since this problem surfaced, i have gone back to routing our network through the kerio to another device, as we didnt have this problem before we start to use the nat on the kerio; we were hoping to remove a hop.

but thankyou very much for your help. what i have also done (as i was never aware of this limitation of nat - this is my first time to hit this wall (or even get close to it)) is to nat some clients via a port in the kerio and put the bulk of the traffic to the other device. this will only buy some time as the number of hosts in our network increases.
Previous Topic: 9.2.5 patch2 released
Next Topic: VPN Kereberos authentication fail for some users
Goto Forum:
  

 ] [ PDF ]

Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Aug 18 19:44:49 CEST 2018

Total time taken to generate the page: 0.94437 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.