Endpoints are not refreshed after stateful NAT timeout

[DeepAQ]

What is the issue?

Nodes behind stateful cone NAT with random port assignment do not refresh their endpoints after the first UDP session timed out. Peers behind symmetric NAT cannot establish a direct connection using outdated endpoints.

Steps to reproduce

• Start the client on a node behind stateful NAT with random port assignment.
• Wait for the first UDP session to time out. New UDP sessions will have a different port number on the external IP address.
• Ping the node from a peer behind symmetric NAT. The peer will try to use the old endpoint with outdated port number.

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

Docker container with userspace networking

Tailscale version

1.66.4

Other software

No response

Bug report

BUG-30f4b6eed2c4d17a65e5d5aefefe19e63b8eafc48cf94414939a11d321f16916-20240527181408Z-5e4dc334c606668c

[DeepAQ]

It seems that this is caused by idle connection handling. tailscale ping will not make an idle connection active or trigger re-STUN. Direct connection cannot be established until the connection is activated by IP-layer data transfer and periodic re-STUN happens.