Operating System - HP-UX
1748180 Members
4122 Online
108759 Solutions
New Discussion юеВ

Re: NDD Tunables for TCP Keepalives

 
SOLVED
Go to solution
KPS
Super Advisor

NDD Tunables for TCP Keepalives

We're looking at possibly changing the amount of tcp_keepalive_interval probes to a more frequent number on our hp-ux host so more keepalives are sent to prevent our firewall from timing out inactive connections. Despite there being no activity, these data channels are still open and are point-to-point, but when they get timed out by our firewall, it's causing us major problems.

This said, could folks weigh in on any gotchas and/or pitfalls we could encounter from doing this? Also if someone could confirm I'm interpreting this correctly that to do this I would need to lessen the current value to make this so?

Current tunable setting is as follows:

#ndd -get /dev/tcp tcp_keepalive_interval
7200000 (120 minutes)

Thanks,
/KPS
7 REPLIES 7
Michael Steele_2
Honored Contributor
Solution

Re: NDD Tunables for TCP Keepalives

Hi

"... I would need to lessen the current value ..."

You have tcp connections that never send a close connection signal, that are always in an ESTABLISHED state and never transition.

You can't re-established a new connection because the old connection is still there and can't be cleared.

The default keep alive is 2 hours but the kill connection message is not working? Or, it is working but you can't wait 2 hours?

So you want to set the new keep alive value from 2 hours to 5 minutes.

Question: What if the ESTABLISHED connection that you are terminating after 5 minutes is still good?

Question: What test can you run to verify that the ESTABLISHED connection is good or bad before killing it?

If you are experiencing these keep-alive problems then they are probably happening at the same time on the same days and can be cross referenced. Are they?
Support Fatherhood - Stop Family Law
Michael Steele_2
Honored Contributor

Re: NDD Tunables for TCP Keepalives

Why don't you ping the problem port / tcp connection and kill it if the ping times out?
Support Fatherhood - Stop Family Law
KPS
Super Advisor

Re: NDD Tunables for TCP Keepalives

Presently the connections are ESTABLISHED and it's normal for some to be in this ESTABISHED state for more than 2hrs. (You're probably thinking bad design and I would tend to agree) Our current problem is that our firewall is set to terminate connections over ports with no activity for 1hour. That said, we were thinking we could use TCP keepalives at a more frequent interval than an hour so the firewall doesn't terminate the ESTABLISHED connections and percieves the connections over the given port to have activity.

If there is a better way to handle this we would be "all ears" and would be open to other alternatives, but it's what we've proposed and come up with so far.

Thanks,
/KPS
Michael Steele_2
Honored Contributor

Re: NDD Tunables for TCP Keepalives

a) Your current keep alive interval is 2 hours
b) You're considering changing your keep alive to less than 1 hour because the firewall terminates less than 1 hour

Okay. So restate the problem. Right now you can not re-establish a connection because the firewall terminates a session and leaves the port in an established state.

And by setting your tcp keep alive to less than 1 hour like the firewall, the keep alive would clear the port instead of leaving it in an ESTABLISHED state.

If I understand this correctly then yeah, make the tcp keep alive small enough so the firewall never interferes.

Problems: "...it's normal for some to be in this ESTABISHED state for more than 2hrs...."

You will be making a segment of users happy and another segment furious.

The furious people will never complete a session. They will always time out.
Support Fatherhood - Stop Family Law
rick jones
Honored Contributor

Re: NDD Tunables for TCP Keepalives

Stateful firewalls in the middle of the network causing problems... quelle surprise...

Changing tcp_keepalive_interval presumes the application(s) in question are actually making the setsockopt() call to enable keepalives. Are they?
there is no rest for the wicked yet the virtuous have no pillows
KPS
Super Advisor

Re: NDD Tunables for TCP Keepalives

Thanks for the replies on these questions I think we have enough to go on here to move forward for this not so pretty workaround.

Thanks again,
/KPS
Michael Steele_2
Honored Contributor

Re: NDD Tunables for TCP Keepalives

Type "...The furious people will never complete a session. They will always time out..."

Should read: They will always be left in an ESTABLISHED state even though dead
Support Fatherhood - Stop Family Law