Zyxel NAT-Router blocks new TCP connections

Zyxel NAT-Router blocks new TCP connections

Symtom: Although data can be transferred through existing TCP connections, no new TCP connections can be opened. Even Ping frames don't get through.

Hardware: Zyxel Prestige 310 Router with NAT (SUA) activated.

Software: ZyNOS 3.50.

Cause: The Zyxel 310 router can only support a maximum of 256 NAT connections. When all 256 entries of the NAT table are in use, no more new connections can be established. TCP sessions that are not properly closed occupy a NAT table entry for up to 270 seconds. A program that opens and closes many TCP connections within a short time uses up all of the 256 NAT table entries and blocks the router for new connections.

Solution: Change the configuration parameters of the program that opens so many TCP connections.

The following ZyNOS command can be used to list the NAT table of the router (menu 24.8):

ip nat iface enif1 status

For ADSL-Routers with ZyNos 3.40 the command is:

ip nat iface wanif0

For old ZyNOS versions (2.50) the command is:

ip sua iface enif0 status

Author: Christian d'Heureuse (chdh@inventec.ch, www.source-code.biz)
Index