Consider the following scenario:
- An outgoing source port is used shortly after the previous connection through that source port is closed.
- The outgoing source port is used to make a new outgoing connection to the same external server.
- The previous connection on the external server is in the TIME_WAIT state.
The TIME_WAIT state is part of the TCP RFC 793 specification and is used to protect connections from being corrupted by data packets that may still be outstanding from a previous connection. As per RFC 793, when a connection is gracefully closed, it should be held in a TIME_WAIT state for four minutes, about two times the maximum segment lifetime.
The outgoing SecureNAT connection will fail when the following conditions are true:
- TMG uses the same source port for an outgoing connection to the external server within four minutes of a previous connection.
- The external server has the previous connection from the same source port in a TIME_WAIT state.
This issue is encountered only when there are high levels of outgoing SecureNAT client traffic and when most of the outgoing SecureNAT client traffic is directed to the same external server.
MG Service Pack 2 adds TIME_WAIT support for the outgoing NAT port pool.
To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
DWORD: ApplyCooldownForLocalSourcePortReuseValue = 1.
Default value: 0. (Minimum value = 0. Maximum value = 1.)
As per RFC 793, the default cool-down for port reuse is four minutes in milliseconds (240000).
Although we do not recommend changing the default values, the cool-down time can be adjusted by using the following registry subkey:
Value: Time in milliseconds.
Defaultvalue: 240000. (Minimum value = 0. Maximum value = 100000000.)
Article ID: 2596065 - Last Review: Oct 31, 2011 - Revision: 1