From owner-freebsd-stable Mon Feb 24 15:21: 9 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF86537B401 for ; Mon, 24 Feb 2003 15:21:07 -0800 (PST) Received: from util.inch.com (ns.inch.com [216.223.192.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF04543FE1 for ; Mon, 24 Feb 2003 15:21:04 -0800 (PST) (envelope-from spork@inch.com) Received: from shell.inch.com (inch.com [216.223.192.20]) by util.inch.com (8.12.6/8.12.6/UTIL-INCH-3.0.10) with ESMTP id h1ONL4SX001178 for ; Mon, 24 Feb 2003 18:21:04 -0500 (EST) (envelope-from spork@inch.com) Received: from shell.inch.com (localhost [127.0.0.1]) by shell.inch.com (8.12.6/8.12.6) with ESMTP id h1ONL4Oh044767 for ; Mon, 24 Feb 2003 18:21:04 -0500 (EST) (envelope-from spork@inch.com) Received: from localhost (spork@localhost) by shell.inch.com (8.12.6/8.12.6/Submit) with ESMTP id h1ONL4YQ044764 for ; Mon, 24 Feb 2003 18:21:04 -0500 (EST) X-Authentication-Warning: shell.inch.com: spork owned process doing -bs Date: Mon, 24 Feb 2003 18:21:04 -0500 (EST) From: Charles Sprickman To: freebsd-stable@freebsd.org Subject: LAST_ACK timeout Message-ID: <20030224181605.T29646@shell.inch.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I recently ran into a situation on a large mail server where MSN.com had what looks to be problems with their load balancers. The end result of this was that we had almost 4,000 connections in "LAST_ACK" state which led to the box no longer being able to establish outgoing connections. It wasn't clear exactly what resource was being exhausted (wasn't mbufs, and nothing at all in the logs). I've looked at tcp(4), which lists most of the sysctl variables and boot loader variables, but I'm not seeing a place to set the timeout on this. Ideally I'd like to whack this down to no more than 15 minutes; I'd rather not tie up resources on broken/evil mxers. Under -stable is there a setting somewhere for this? As a quick solution, we've enabled ipf on this box and it tracks state on outgoing connections. IPF seems to be able to age these entries out, but that's just a temporary fix. Thanks, Charles -- Charles Sprickman spork@inch.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message