FIX: Outgoing connections from SecureNAT clients may intermittently fail because of how Forefront Threat Management Gateway 2010 manages NAT source port pools

Symptoms

Outgoing connections from SecureNAT clients may intermittently fail because of how Microsoft Forefront Threat Management Gateway (TMG) 2010 manages its outgoing network address translation (NAT) source port pool.

Cause

When an outgoing SecureNAT connection is made through a TMG server and NAT is applied, TMG has to determine the outgoing source port that will be used for the NAT connection. TMG maintains a pool of source ports to use for outgoing NAT connections. When a connection is closed, the outgoing source port is freed back to the pool and is immediately available for a later outgoing connection.

Consider the following scenario:

• An outgoing source port is used shortly after the previous connection through that source port is closed.

• The outgoing source port is used to make a new outgoing connection to the same external server.

• The previous connection on the external server is in the TIME_WAIT state.

In this scenario, this connection attempt may fail.

The TIME_WAIT state is part of the TCP RFC 793 specification and is used to protect connections from being corrupted by data packets that may still be outstanding from a previous connection. As per RFC 793, when a connection is gracefully closed, it should be held in a TIME_WAIT state for four minutes, about two times the maximum segment lifetime.

The outgoing SecureNAT connection will fail when the following conditions are true:

• TMG uses the same source port for an outgoing connection to the external server within four minutes of a previous connection.

• The external server has the previous connection from the same source port in a TIME_WAIT state.

When these conditions are true, the external server will not accept the new connection attempt. This causes the outgoing SecureNAT connection to fail.

This issue is encountered only when there are high levels of outgoing SecureNAT client traffic and when most of the outgoing SecureNAT client traffic is directed to the same external server.

Resolution

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

MG Service Pack 2 adds TIME_WAIT support for the outgoing NAT port pool. 

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:

2555840 Description of Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010By default, the TIME_WAIT support in TMG Service Pack 2 is not enabled. To enable the TIME_WAIT support, you must create the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Fweng\Parameters
DWORD: ApplyCooldownForLocalSourcePortReuseValue = 1. 
Default value: 0. (Minimum value = 0. Maximum value = 1.)You must restart the TMG server for the registry change to take effect.

As per RFC 793, the default cool-down for port reuse is four minutes in milliseconds (240000).

Although we do not recommend changing the default values, the cool-down time can be adjusted by using the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Fweng\Parameters
DWORD: CooldownForLocalSourcePortReuseTime
Value: Time in milliseconds.
Defaultvalue: 240000. (Minimum value = 0. Maximum value = 100000000.)You must restart the TMG server for the registry change to take effect.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates