From owner-freebsd-stable@FreeBSD.ORG Wed Mar 4 19:44:32 2015 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B4E22D28 for ; Wed, 4 Mar 2015 19:44:32 +0000 (UTC) Received: from mail-ie0-x22b.google.com (mail-ie0-x22b.google.com [IPv6:2607:f8b0:4001:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 759E27FA for ; Wed, 4 Mar 2015 19:44:32 +0000 (UTC) Received: by iecvy18 with SMTP id vy18so6066818iec.9 for ; Wed, 04 Mar 2015 11:44:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=LKYegCkekK6zW4qHgqfxgnm2+24+A9u24JzcHDwhhDU=; b=G3mHbQ1Bd4tRSf3GTHyfhwnvivwzji8Xc4aCuCQJAZJN+ZPQiE8oJgRdIP3KjjztTk Fm1tf0VwJH573bXuyoz4zbJXrjg7zHPXGvURMNdPhRCODWl09Yh6CLT1m35eKiKXgV/i JVcz9LKRZqMr1W+Dyc0dsc/Ai5UWWCB0+xfzUf0XqN9AzLdIFlxGnDfVnJwQjs5Gusz3 VPJAYSZpvXUGUeMtRChm9R18lhPP3JTgxxhSuRfsT6eiweBX4foPzftIBkhNWgsurkNA bE1Q2CxhFU4fDvxXX2i93hinp4ONjZcd0qmFrHofOLw8fWmYnZe7yKqsu0h0520UBwkN g0hQ== MIME-Version: 1.0 X-Received: by 10.50.80.12 with SMTP id n12mr40503860igx.29.1425498271811; Wed, 04 Mar 2015 11:44:31 -0800 (PST) Received: by 10.50.243.38 with HTTP; Wed, 4 Mar 2015 11:44:31 -0800 (PST) In-Reply-To: References: Date: Wed, 4 Mar 2015 11:44:31 -0800 Message-ID: Subject: Re: Stale TIME_WAIT tcp connections From: Rumen Telbizov To: "freebsd-stable@freebsd.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2015 19:44:32 -0000 Hello again, Thank you for the responses. No I don't have any IPSEC in the kernel. Further observations overnight revealed that: a) Those "stale" TIME_WAIT sockets do expire at some time, since I was watching one of them which seemed to stay around for hours but in the morning it actually was gone. b) It seems like both sockets which don't get established (only syn sent) are getting registered and get stuck there as well as fully established and properly closed ones. Here are a couple of examples: Monitoring the traffic from a specific client host (server IP obfuscated to 1.2.3.4, client IP to 5.6.7.8): IP 5.6.7.8.43440 > 1.2.3.4.5666: Flags [S], seq 4056322107, win 5840, options [mss 1460,sackOK,TS val 729030596 ecr 0,nop,wscale 7], length 0 IP 5.6.7.8.43437 > 1.2.3.4.5666: Flags [S], seq 3979308195, win 5840, options [mss 1460,sackOK,TS val 729031604 ecr 0,nop,wscale 7], length 0 Those are connections that never got established. I picked up and watched one of those syn-only tuples and it seems like it does allocate and consume a connection: # date ; sockstat | grep 5.6.7.8:43440 Wed Mar 4 19:02:24 UTC 2015 ? ? ? ? tcp4 1.2.3.4:5666 5.6.7.8:43440 # date ; sockstat | grep 5.6.7.8:43440 Wed Mar 4 19:10:11 UTC 2015 ? ? ? ? tcp4 1.2.3.4:5666 5.6.7.8:43440 # date ; netstat -na | grep 5.6.7.8.43440 Wed Mar 4 19:38:56 UTC 2015 tcp4 0 0 1.2.3.4.5666 5.6.7.8.43440 TIME_WAIT And here's a properly established and closed TCP socket between the same client and server: 19:14:47.827359 IP 5.6.7.8.33877 > 1.2.3.4.5666: Flags [S], seq 3819001779, win 5840, options [mss 1460,sackOK,TS val 729095309 ecr 0,nop,wscale 7], length 0 19:14:47.827390 IP 1.2.3.4.5666 > 5.6.7.8.33877: Flags [S.], seq 2990857548, ack 3819001780, win 65535, options [mss 1436,nop,wscale 6,sackOK,TS val 2460189516 ecr 729095309], length 0 19:14:47.979287 IP 5.6.7.8.33877 > 1.2.3.4.5666: Flags [.], ack 1, win 46, options [nop,nop,TS val 729095347 ecr 2460189516], length 0 19:14:47.979408 IP 5.6.7.8.33877 > 1.2.3.4.5666: Flags [P.], seq 1:1041, ack 1, win 46, options [nop,nop,TS val 729095347 ecr 2460189516], length 1040 19:14:47.980136 IP 1.2.3.4.5666 > 5.6.7.8.33877: Flags [F.], seq 1, ack 1041, win 1045, options [nop,nop,TS val 2460189668 ecr 729095347], length 0 19:14:48.132156 IP 5.6.7.8.33877 > 1.2.3.4.5666: Flags [F.], seq 1041, ack 2, win 46, options [nop,nop,TS val 729095386 ecr 2460189668], length 0 19:14:48.132173 IP 1.2.3.4.5666 > 5.6.7.8.33877: Flags [.], ack 1042, win 1045, options [nop,nop,TS val 2460189821 ecr 729095386], length 0 It also gets stuck there for quite a while: # sockstat | grep 5.6.7.8:33877 ? ? ? ? tcp4 1.2.3.4:5666 5.6.7.8:33877 # date ; netstat -na | grep 5.6.7.8.33877 Wed Mar 4 19:16:09 UTC 2015 tcp4 0 0 1.2.3.4.5666 5.6.7.8.33877 TIME_WAIT # date ; netstat -na | grep 5.6.7.8.33877 Wed Mar 4 19:31:31 UTC 2015 tcp4 0 0 1.2.3.4.5666 5.6.7.8.33877 TIME_WAIT So naturally the server never manages to get "on top of things" due to not discarding those on time. Any other ideas and suggestions? Regards, Rumen Telbizov On Tue, Mar 3, 2015 at 5:41 PM, Michael Ross wrote: > On Wed, 04 Mar 2015 01:36:18 +0100, Rumen Telbizov > wrote: > > Hello everyone, >> >> We have a server running 9.3-RELEASE which is exhibiting a high number o= f >> TIME_WAIT tcp connections which are NOT being recycled. That is, netstat >> reports them over and over again, no matter how long we wait for them to >> be >> flushed out. Currently this server has been out of rotation for a couple >> of >> hours and I still see the same tcp sockets there. Overall we have: >> >> # netstat -na | grep TIME_WAIT | wc -l >> *30066* >> >> Tracking one particular TCP socket in TIME_WAIT proves that it stays the= re >> all the time. >> >> Another observation is that pfctl shows a very large number of state >> entries, even after pfctl -F all, or disable/enable sequence. >> >> # pfctl -si >> State Table Total Rate >> current entries *59280* >> >> At the same time though: >> >> # pfctl -ss | wc -l >> 18 >> >> After the problem was discovered we tried tweaking the following setting= s >> without any luck: >> >> net.inet.tcp.fast_finwait2_recycle=3D1 >> net.inet.tcp.finwait2_timeout=3D5000 >> net.inet.tcp.maxtcptw=3D50000 >> net.inet.tcp.msl=3D100 >> >> =E2=80=8BSo it seems like this system is "stuck" and =E2=80=8Bdoesn't re= cycle those TCP >> sockets. Again, the machine is out of rotation and not actively acceptin= g >> any traffic. I will keep it like that in case further investigation is >> required. Please do let me know if there's anything else you'd like to >> know >> from the state of the machine or something I could try. >> >> =E2=80=8BRegards, >> > > Are you using any IPSEC? > I observed something similar a while back, haven't checked again since i > reported this. > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D194690 > Affected 9.2, too. > > Michael > --=20 Rumen Telbizov Unix Systems Administrator