From owner-freebsd-performance@FreeBSD.ORG Sun Jul 20 18:25:41 2008 Return-Path: Delivered-To: freebsd-performance@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB13B1065676 for ; Sun, 20 Jul 2008 18:25:41 +0000 (UTC) (envelope-from astrange@ithinksw.com) Received: from fmailhost03.isp.att.net (fmailhost03.isp.att.net [207.115.11.53]) by mx1.freebsd.org (Postfix) with ESMTP id 9E2BD8FC1D for ; Sun, 20 Jul 2008 18:25:41 +0000 (UTC) (envelope-from astrange@ithinksw.com) Received: from [10.0.1.4] (adsl-176-63-128.asm.bellsouth.net[74.176.63.128]) by isp.att.net (frfwmhc03) with SMTP id <20080720182540H0300pplfme>; Sun, 20 Jul 2008 18:25:40 +0000 X-Originating-IP: [74.176.63.128] Message-Id: From: Alexander Strange To: freebsd-performance@freebsd.org In-Reply-To: <31AFE70B-CE45-42DE-97C7-AFF96383C6E2@chittenden.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Sun, 20 Jul 2008 14:25:40 -0400 References: <31AFE70B-CE45-42DE-97C7-AFF96383C6E2@chittenden.org> X-Mailer: Apple Mail (2.926) Subject: Re: Large number of http connections immediately dropped X-BeenThere: freebsd-performance@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Performance/tuning List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jul 2008 18:25:41 -0000 On Jul 17, 2008, at 12:44 PM, Sean Chittenden wrote: >> -messages is full of: >> Limiting open port RST response from 441 to 200 packets/sec >> Limiting open port RST response from 488 to 200 packets/sec >> Limiting open port RST response from 399 to 200 packets/sec >> Limiting open port RST response from 434 to 200 packets/sec >> Limiting open port RST response from 308 to 200 packets/sec >> I'm not sure if that's related or not. > > Likely not, but you want to set net.inet.icmp.icmplim=2000 or > something much higher. ICMP is a good thing and an important part > of TCP. For that much traffic, you need more ICMP packets. > net.inet.tcp.recvspace seems high, you probably only want it to be > 4096 or maybe double that.... unless your traffic is all HTTP > posts. Why don't you want to run with accept filters? Any > firewalls or rate filters in the way? -sc The httpready filter was just off for debugging (in case it solved our problem) - it didn't seem to affect it, so it's back on now. There are a lot of large HTTP posts happening, and we don't seem to be low on memory, so recvspace should be ok. somaxconn is also much higher than necessary, though, so maybe that could be a problem. Anyway, raising icmplim has emptied the system log, but there are still several errors per minute. I don't think any of the netstat -s counters are going up at the same rate, but I'll keep looking at those. And there's no firewalls or packet shapers in front of it.