- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- TCP Zerowindow"
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-21-2009 11:53 AM
тАО05-21-2009 11:53 AM
I am trouble shooting network error and while lookig at the trace file we see lot of "TCP Zerowindow" (When the receiving host's buffer fills, the next acknowledgement contains a 0 in the window size, to stop transfer and allow the data in the buffer to be processed) and AFAIK this is some thing to do with "TCP/IP bufferes"
Any one know what could casue this and a fix?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-21-2009 12:20 PM
тАО05-21-2009 12:20 PM
Re: TCP Zerowindow"
Usually second option, i.e., throttling is not option if you have too many senders and one target receiver. So, make sure you have a really fast interface listening for the traffic.
There might be an obscure ndd parameter but ndd is not my forte. I am sure Rick Jones on these forums, can provide an answer if there is one related to ndd.
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-21-2009 04:23 PM
тАО05-21-2009 04:23 PM
Re: TCP Zerowindow"
When a receiving TCP returns an ACK with a 0 in the window field, it means the receive socket buffer has filled. This means the receiving *application* has fallen-behind. If this is simply a transient sort of thing, you might have the application make a setsockopt() call to increase the size of SO_RCVBUF. If the application is brain-dead in that regard, you can probably use ndd to tweak tcp_recv_hiwater_def to a larger value.
However, if the application is *always* behind - that is the zero window ACKs are frequent the only thing to do is find some way to improve the performance of the application.
Zero window ACKs say nothing about the speed of the recieving NIC being too slow. When the receiving NIC (or its interrupt CPUs) are too slow you get recv errors reported in lanadmin statistics.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2009 05:58 AM
тАО05-22-2009 05:58 AM
Re: TCP Zerowindow"
Also is "keepalive timeouts" a concern
Fri May 22 01:57:49 EDT 2009
2677614 embryonic connections dropped
3013248049 segments updated rtt (of 3013248049 attempts)
6171595 retransmit timeouts
481832 connections dropped by rexmit timeout
29608532 persist timeouts
2713014 keepalive timeouts
2699941 keepalive probes sent
969 connections dropped by keepalive
3305474 connect requests dropped due to full queue
2104496 connect requests dropped due to no listener
Fri May 22 02:22:49 EDT 2009
2677823 embryonic connections dropped
3014514533 segments updated rtt (of 3014514533 attempts)
6172290 retransmit timeouts
481882 connections dropped by rexmit timeout
29614986 persist timeouts
2713098 keepalive timeouts
2700024 keepalive probes sent
969 connections dropped by keepalive
3305952 connect requests dropped due to full queue
2104590 connect requests dropped due to no listener
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2009 06:18 AM
тАО05-22-2009 06:18 AM
Re: TCP Zerowindow"
as if you are describing the innards of a newly discovered denial of service attack. If your process is a webserver and it is infected somehow or designed to inflict pain to the visitors, this is exactly what you would do to make the connecting clients, spin their cycles waiting for your receive buffers to become available, even though your receive buffers are capable of receiving traffic.
I have listened to a computer security related a podcast few months ago, describing a DoS attack taking advantage of this very vulnerability of the tcp protocol communications. Is this listening application something you have written or somehow inherited from people you don't know and have no way of contacting. If it is the latter, I'd seriously suspect a malicious intent.
my 2 cents
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-22-2009 04:45 PM
тАО05-22-2009 04:45 PM
SolutionZero window ACKs from the server mean it is the server advertising a zero window.
Connections dropped due to full queue means that either tcp_conn_request_max is "too small" or the application(s) are making listen() calls with too small a backlog, or the application(s) are not calling accept() fast enough for the given backlog levels - which will be the minimum of what they pass in listen() and the value of tcp_conn_request_max.
Connections dropped due to no listener means just that - there was no listen endpoint for the destination port number in the arriving SYNchronize segment.
Whether this is or is not a Denial Of Service attack probably calls for further investigation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-25-2009 05:07 AM
тАО05-25-2009 05:07 AM
Re: TCP Zerowindow"
Rick, Can you explain me or get me doc/URL which explians setsockopt/SO_RCVBUF
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-25-2009 02:34 PM
тАО05-25-2009 02:34 PM
Re: TCP Zerowindow"
BTW, earlier I think you said you saw now recv errors - indeed there would be none if the application is falling behind. The application's recv() (or read() etc) calls will still succeed, they just aren't being called "fast enough" by the application to keep-up with the rest of the stack and the network. There probably won't be any link-level recv errors either since TCP flow-control will kick-in when the window goes to zero bytes.