TCP time_wait and port exhaustion for servers
Owen DeLong
owen at delong.com
Wed Dec 5 17:43:26 UTC 2012
You could simply add another IP address to the servers's source-
address pool, which effectively gives you another 32K (or whatever
value you have for the local port range) identifiers.
Owen
On Dec 5, 2012, at 7:59 AM, Ray Soucy <rps at maine.edu> wrote:
> RFC 793 arbitrarily defines 2MSL (how long to hold a socket in
> TIME_WAIT state before cleaning up) as 4 min.
>
> Linux is a little more reasonable in this and has it baked into the
> source as 60 seconds in "/usr/src/linux/include/net/tcp.h":
> #define TCP_TIMEWAIT_LEN (60*HZ)
>
> Where there is no way to change this though /proc (probably a good
> idea to keep users from messing with it), I am considering re-building
> a kernel with a lower TCP_TIMEWAIT_LEN to deal with the following
> issue.
>
> With a 60 second timeout on TIME_WAIT, local port identifiers are tied
> up from being used for new outgoing connections (in this case a proxy
> server). The default local port range on Linux can easily be
> adjusted; but even when bumped up to a range of 32K ports, the 60
> second timeout means you can only sustain about 500 new connections
> per second before you run out of ports.
>
> There are two options to try an deal with this, tcp_tw_reuse, and
> tcp_tw_recycle; but both seem to be less than ideal. With
> tcp_tw_reuse, it doesn't appear to be effective in situations where
> you're sustaining 500+ new connections per second rather than a small
> burst. With tcp_tw_recycle it seems like too big of a hammer and has
> been reported to cause problems with NATed connections.
>
> The best solution seems to be trying to keep TIME_WAIT in place, but
> being faster about it.
>
> 30 seconds would get you to 1000 connections a second; 15 to 2000, and
> 10 seconds to about 3000 a second.
>
> A few questions:
>
> Does anyone have any data on how typical it is for TIME_WAIT to be
> necessary beyond 10 seconds on a modern network?
> Has anyone done some research on how low you can make TIME_WAIT safely?
> Is this a terrible idea? What alternatives are there? Keep in mind
> this is a proxy server making outgoing connections as the source of
> the problem; so things like SO_REUSEADDR which work for reusing
> sockets for incoming connections don't seem to do much in this
> situation.
>
> Anyone running large proxies or load balancers have this situation?
> If so what is your solution?
>
>
>
>
> --
> Ray Patrick Soucy
> Network Engineer
> University of Maine System
>
> T: 207-561-3526
> F: 207-561-3531
>
> MaineREN, Maine's Research and Education Network
> www.maineren.net
More information about the NANOG
mailing list