Ta.
>...when all the hosts behind a many to one NAT are talking to exactly the same server.
Yup - exactly the scenario
>The server would immediately free up the connection and not have to implement the TIME_WAIT timer as after a FIN there is no possibility of more packets arriving.
My understanding was the
server notes the source pair presented to it and refuses to accept a subsequent SYN until TIME_WAIT expires (unless applying the allowed exception on perpetually ascending sequence numbers)
to prevent the possibility of late/malicious packets.
>...where the SOAP session is sat idle....
There is never idle state. In consequence of user action worksation front-end app HTTP POST's a SOAP message containing service request to webservice which accepts/responds with data and status. This obviuosly decomposes from SOAP->HTTP->TCP/IP transports, but each service request is a complete and distinct action in its own right - we're never waiting on using to provide further transitory action mid-request.
>It's unlikely. Most home / soho router / firewalls run on a Linux kernel which uses TCP ports 32768 to 61000 as ephemeral ports so you have 28,232 to play with. With 10 users that would give 2832 ports each !
That's good; as long as they adhere to this 'standard' then I agree it shouldn't run out[1].
If it is restricted though, I can see issue:
* Although you can increase ephemeral port range
on users workstation, the intermediate NAT'ing device must keep state on what is being used, so
* It either
(a) NAT's with 1:1 port mapping, in which case it can't accept same port from 2nd internal IP whilst conversation is in progress
(otherwise how would it know which way to chuck returned packets - iIP1, or iIP2?), and must therefore reject (internally)
2nd iIP request, or
(b) it both NAT's
and PAT's for the widened range of workstation ports, increasing use of (restricted set) ephemeral ports seen
from Public IP perspective, leading to the receiving server holding more records in TIME_WAIT state
[1] Doesn't explain why I'm seeing rejections on attempt to recycle source pair use in < 1 s period though, unless NAT'ing device code is trying to be smart and hold onto prior use, without increasing sequence numbers