nanog mailing list archives
Re: TCP time_wait and port exhaustion for servers
From: Kyrian <kyrian () ore org>
Date: Thu, 06 Dec 2012 15:20:09 +0000
Quoting Ray Soucy <rps () maine edu>:
net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_time = 90 net.ipv4.tcp_fin_timeout = 30As discussed, those do not affect TCP_TIMEWAIT_LEN. There is a lot of misinformation out there on this subject so please don't just Google for 5 min. and chime in with a "solution" that you haven't verified yourself.
...
Those tunables certainly seem to have actually worked in the real world for me, whether they are right "in theory" or not is possibly another matter.
TLDR? They worked for me, to reduce connections in a TIME_WAIT state, in a real situation, after well over 5 minutes of Googling. Exactly as I said. Further, they differed from the (netfilter) ones posted previously that were stated as not having anything to do with it by someone or other. There's no cause at all for your snotty message back.
What you didn't state in your email was whether these connections were being left in TIME_WAIT because they had not been closed (eg. mobile devices or similar that are somewhat notorious for not closing connections properly), or whether the "normal" close process was taking too long. I suspect that if you had clarified that point initially, things would have made more sense all round.
The tunables listed above, AIUI handle connections that were not properly terminated, and idling out, whereas I believe (having had the opportunity to consider it in more depth) your situation seems more to do with "properly" terminated connections that have hard-coded behaviours in the kernel.
Perhaps you can clarify for the benefit of the masses.Also, if you are going to hack the kernel to make that change, I urge you to make it part of the sysctl mechanism as well, and to send a patch back to the kernel developers to help out others who might be in a similar situation to you. This is both to help the community, and give you an easier means to tweak the setting as needed in future without a further kernel recompile.
K. -- Kev Green, aka Kyrian. E: kyrian@ore.org WWW: http://kyrian.ore.org/ ISP/Perl/PHP/Linux/Security Contractor, via http://www.orenet.co.uk/
Current thread:
- Re: TCP time_wait and port exhaustion for servers, (continued)
- Re: TCP time_wait and port exhaustion for servers David Conrad (Dec 05)
- RE: TCP time_wait and port exhaustion for servers Terry Baranski (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Owen DeLong (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Cyril Bouthors (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Jon Lewis (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 06)
- Re: TCP time_wait and port exhaustion for servers Mark Andrews (Dec 05)
- Re: TCP time_wait and port exhaustion for servers Kyrian (Dec 06)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 06)
- Re: TCP time_wait and port exhaustion for servers Kyrian (Dec 06)
- Re: TCP time_wait and port exhaustion for servers William Allen Simpson (Dec 06)
- Re: TCP time_wait and port exhaustion for servers Jean-Francois Mezei (Dec 06)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 06)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 06)
- Re: TCP time_wait and port exhaustion for servers Matthew Palmer (Dec 07)
- Re: TCP time_wait and port exhaustion for servers Ray Soucy (Dec 07)