HPE Community
Operating System - Tru64 Unix
1828191 Members
2064 Online
109975 Solutions
New Discussion

Is it Normal?(About a Web Server)

 
chenbin_1
Occasional Advisor

‎09-16-2004 05:51 PM

‎09-16-2004 05:51 PM

Is it Normal?(About a Web Server)

I have a web server in ES40(Tru64 5.1B),when i used a command as fellow to monitor
the network status ,i found something abnormal,but i didn't know how to do it.
# netstat -an | grep tcp| awk '{print $6}'| sort | uniq -c
the output is :
138 ESTABLISHED
264 FIN_WAIT_2
36 LESTEN
6 TIME_WAIT
0 Kudos
5 REPLIES 5
Ralf Puchner
Honored Contributor

‎09-16-2004 08:10 PM

‎09-16-2004 08:10 PM

Re: Is it Normal?(About a Web Server)

It seems there is a close problem, e.g. connection not properly closed from client side.

Lower/enable tcp keepalive (please have a look into the tuning documentation) to close the sockets as soon as possible.
Help() { FirstReadManual(urgently); Go_to_it;; }
0 Kudos
Ross Minkov
Esteemed Contributor

‎09-19-2004 02:14 AM

‎09-19-2004 02:14 AM

Re: Is it Normal?(About a Web Server)

chenbin,

This could be normal... How busy is your web server? Does it serve anything other then web pages? Do these number change over time?

Ross
0 Kudos
Ralf Puchner
Honored Contributor

‎09-19-2004 06:22 PM

‎09-19-2004 06:22 PM

Re: Is it Normal?(About a Web Server)

the high number of FIN_WAIT_2 is not normal related to the ESTABLISHED and TIME_WAIT sockets. It is an indication of a connection close problem and leads to socket problems over time if more sockets will be opened than closed (bottleneck is far away but it depend on usage of the webserver).

Due to the fact, that HTTP does not keep connection during a session it is important.
Help() { FirstReadManual(urgently); Go_to_it;; }
0 Kudos
chenbin_1
Occasional Advisor

‎10-18-2004 02:55 PM

‎10-18-2004 02:55 PM

Re: Is it Normal?(About a Web Server)

# netstat -p tcp
tcp:
82634767 packets sent
49106873 data packets (14442677502 bytes)
401181 data packets (547742361 bytes) retransmitted
27758357 ack-only packets (17643056 delayed)
0 URG only packets
25 window probe packets
376242 window update packets
4992089 control packets
70845228 packets received
54307809 acks (for 14371287618 bytes)
5496615 duplicate acks
0 acks for unsent data
46957412 packets (5980730476 bytes) received in-sequence
93525 completely duplicate packets (32534296 bytes)
5286 packets with some duplicate data (2212909 bytes duped)
253415 out-of-order packets (87529157 bytes)
13 packets (6948 bytes) of data after window
0 window probes
3584 window update packets
627 packets received after close
217 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet was too short
16740 connection requests
5064539 connection accepts
5055359 connections established (including accepts)
5171172 connections closed (including 213480 drops)
2 embryonic connections dropped
52152867 segments updated rtt (of 52387409 attempts)
149555 retransmit timeouts
193 connections dropped by rexmit timeout
32 persist timeouts
2099 keepalive timeouts
9 keepalive probes sent
1213 connections dropped by keepalive
now ,i counter a new problem,so.....:),is it normal?
0 Kudos
Al Licause
Trusted Contributor

‎10-19-2004 05:40 AM

‎10-19-2004 05:40 AM

Re: Is it Normal?(About a Web Server)

The excessive FIN_WAIT_2 sockets may not necessarily be http traffic. If you leave off your awk search, what ports are these sockets talking to ?

You may need to do some tracing to find out what's going on. You may be experiencing an attack or an attempt to login via ports other than http.

If you simply want to clean them up, looking at enabling tcp_keepalive and possibly adjusting tcp_keepcnt, tcp_keepintvl and tcp_keepidle.....see man sys_attrs inet.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.