https://devzone.nordicsemi.com/f/nordic-q-a/104501/mqtt-connection-resets---keepaliveI&#39;m hoping someone can view the modem traces I have here to help me understand why the mqtt connection is being reset. I&#39;d like to test a keep-alive on the order of hours, but the connection is being reset at PINGREQs. I&#39;m using a nrf9160DK, MFW 1.3en-USTelligent Community 13Thu, 19 Oct 2023 09:06:19 GMThttps://devzone.nordicsemi.com/thread/451228?ContentTypeID=1Thu, 19 Oct 2023 09:06:19 GMT137ad170-7792-4731-bb38-c0d22fbe4515:9002c804-ec19-4009-b7f2-b898734e0774JONATHAN LL<p>Hi,&nbsp;<br /><br />So from the logs it seems that the issue is likely the keepalive.&nbsp;<br /><br />In both cases a RST, ACK sent from server terminating the TCP connection, this is likely due to the&nbsp;MQTT connection timing out. Even though the client request a certain MQTT keepalive it doesn’t mean that the server supports that value.<br /><br /><br />An to add from our expert on the matter:<br /><br /></p> <p>My current conclusion (strong guess without seeing server side traces and/or not knowing how the server side architecture) is that the NAT binding times out on the carrier network side (AT&amp;T) and thus the load balancer / Firewall on the Hive could side (FQDN c59829c0af344d2aa83346efbde5e10c.s1.eu.hivemq.cloud) does not recognize the TCP session anymore (or the session timed out) or the PINREQ packet gets forwarded to a wrong MQTT server as the source IP/Port has changed thus managing existing session mappings. In all cases the cloud side server / load balancer / Firewall responds with RST. Business as usual.</p> <p>Why I refer to load balancer / firewall? That is an educated guess based on the IP header identification and TTL fields.</p> <ul> <li> <p>During the 3-way handshake the server side uses identifications from 0 onwards and TTL is 234.</p> </li> <li> <p>Once the connection moves to TLS the identification field jumps to e.g. 0x9ad7 onwards → high chances this is a different node behind the load balancer as the “IP session” is completely different. TTL is still the same 234..</p> </li> <li> <p>When the server side responds with an RTS the IP identification is copied from the source packet and but TTL is 208 i.e. not the expected 234 → high chances the RTS comes from a different server or load balancer.</p> </li> </ul> <p>There are few obvious ways to tackle the issue:</p> <ul> <li> <p>better choice of a protocol.</p> </li> <li> <p>Use of Private/enterprise APNs → no issues with NATs or they are under the control of the customer.</p> </li> <li> <p>Use more aggressive keepalive, which is closer what the NAT timeouts are on the network side.</p> </li> <li> <p>Use of IPv6 instead of IPv4, since there is not NAT issues with IPv6.</p> </li> </ul> <p><br /><br /><br />Regards,<br />Jonathan</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/451129?ContentTypeID=1Wed, 18 Oct 2023 18:48:02 GMT137ad170-7792-4731-bb38-c0d22fbe4515:da1026e5-5826-4abb-801c-809432657d27ERob<p>Thanks Jonathan. Network is AT&amp;T, and using public cloud for the HiveMQ brokers. </p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/450992?ContentTypeID=1Wed, 18 Oct 2023 08:50:30 GMT137ad170-7792-4731-bb38-c0d22fbe4515:57904d6c-63b6-4184-99a9-a96f927196d9JONATHAN LL<p>Hi,&nbsp;<br /><br />Will look at the trace and provide some feedback, update will follow.<br /><br />What network provider are you using?<br /><br />And are you using public cloud for these brokers or do you host your own servers in HiveMQ?&nbsp;<br /><br />Regards,<br />Jonathan</p><div style="clear:both;"></div>