Fast-path

The behavior of the fast-path network stack can be customized globally, and per VRF.

If there is no configuration value in a VRF, the global configuration applies. The VRF configuration overrides the system one.

ALG

The ALGs allow to use specific applications through CG-NAT or fp-firewall.

The following ALGs are available and preconfigured with default parameters:

ALG	Protocol	Port	Established Timeout	Description
dns	UDP	53	5 seconds	Domain Name System
ftp	TCP	21	TCP default	File Transfer Protocol
tftp	UDP	69	UDP default	Trivial File Transfer Protocol
rtsp	TCP	554	60 seconds	Real Time Streaming Protocol
sip-tcp	TCP	5060	3600 seconds	Session Initiation Protocol (TCP)
sip-udp	UDP	5060	3600 seconds	Session Initiation Protocol (UDP)
pptp	TCP	1723	TCP default	Point-to-Point Tunneling Protocol
h323_q931	TCP	1720	TCP default	H.323 Call Signaling (Q.931)
h323_ras	UDP	1719	UDP default	H.323 Registration, Admission, Status

The following configuration activates the DNS ALG, and sets its session timeout to 1000.

vsr running config# / system network-stack fast-path alg dns session-timeout 1000

The configuration can be overridden at the VRF level. The following configuration sets the DNS session-timeout to 500 in the test VRF, while it stays at the 1000 value defined previously in the other vrfs.

vsr running config# / vrf main network-stack fast-path alg dns session-timeout 500

To display the ALG configuration:

vsr> show state / vrf main network-stack fast-path alg
alg dns
    port 53
    session-timeout 500
    ..

The same configuration can be made using this NETCONF XML configuration:

vsr> show config xml absolute nodefault / vrf main network-stack fast-path alg
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <network-stack xmlns="urn:6wind:vrouter/system">
      <fast-path xmlns="urn:6wind:vrouter/fast-path-network-stack">
        <alg>
          <name>dns</name>
          <session-timeout>500</session-timeout>
        </alg>
      </fast-path>
    </network-stack>
  </vrf>
</config>

Note

In the previous versions, dns-udp was the default value. It is not the case anymore. Therefore, you may need to configure it in its new path: / system network-stack fast-path alg dns.

Conntracks

Conntrack timeouts can be set for each protocol. UDP, ICMP and GRE protocols only handle basic conntrack states (new, established, closed), whereas TCP offers more granularity.

The following table lists the default timeouts for each protocol and connection state.

Protocol	State	Timeout (seconds)
TCP	Syn Sent	30
	Simultaneous Syn	30
	Syn Received	60
	Established	7440 (2 hours 4 minutes)
	Fin Sent	120
	Fin Received	120
	Close Wait	60
	Fin Wait	120
	Last Ack	30
	Time Wait	120
	Closed	10
UDP	New	30
	Established	120
ICMP/ICMPv6	New	30
	Established	60
GRE	New	600
	Established	18000 (5 hours)

Note

For connectionless protocols (UDP, ICMP, and GRE), the established state indicates that packets have been observed in both directions for a given conntrack.

The following configuration sets the TCP timeout of established to 100:

vsr running config# / system network-stack fast-path conntrack timeouts tcp established 100

The conntrack tcp-window-check behavior is now disabled:

vsr running config# / system network-stack fast-path conntrack behavior tcp-window-check enabled false

To fragment NAT64 packet according to the MTU of the output interface:

vsr running config# / system network-stack fast-path conntrack nat64 mtu lowest-ipv6 0

To adjust the TCP MSS for DS-Lite packet to avoid fragmentation:

vsr running config# / system network-stack fast-path conntrack ds-lite option adjust-tcp-mss 1420

The same configuration can be made using this NETCONF XML configuration:

vsr> show config xml absolute nodefault / system network-stack fast-path conntrack
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <network-stack>
      <fast-path xmlns="urn:6wind:vrouter/fast-path-network-stack">
        <conntrack>
          <behavior>
            <tcp-options>tcp-window-check</tcp-options>
            <enabled>false</enabled>
          </behavior>
          <timeouts>
            <tcp>
              <state>established</state>
              <timeout>100</timeout>
            </tcp>
          </timeouts>
          <nat64>
            <mtu>
              <option>lowest-ipv6</option>
              <value>0</value>
            </mtu>
          </nat64>
          <ds-lite>
            <option>
              <option>adjust-tcp-mss</option>
              <value>1420</value>
            </option>
          </ds-lite>
        </conntrack>
      </fast-path>
    </network-stack>
  </system>
</config>

See also

The command reference for details.