From owner-freebsd-questions@FreeBSD.ORG Mon Feb 26 15:13:59 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2088916A400 for ; Mon, 26 Feb 2007 15:13:59 +0000 (UTC) (envelope-from gpeel@thenetnow.com) Received: from thenetnow.com (thenetnow.com [69.90.69.141]) by mx1.freebsd.org (Postfix) with ESMTP id E967013C4B7 for ; Mon, 26 Feb 2007 15:13:58 +0000 (UTC) (envelope-from gpeel@thenetnow.com) Received: from hpeel.ody.ca ([216.240.12.2] helo=GRANT) by constellation.thenetnow.com with esmtpa (Exim 4.54) id 1HLhXv-000BYt-Nk; Mon, 26 Feb 2007 10:13:48 -0500 Message-ID: <00d501c759b8$b7dc4870$6501a8c0@GRANT> From: "Grant Peel" To: "Tek Bahadur Limbu" References: <00aa01c758c6$f8dadb90$6501a8c0@GRANT> <20070225193804.19bc9280.teklimbu@wlink.com.np> Date: Mon, 26 Feb 2007 10:13:49 -0500 Organization: The Net Now MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: freebsd-questions@freebsd.org Subject: Re: Fw: FIN_WAIT_2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Grant Peel List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 15:13:59 -0000 Hi All, I have done some research ... It appears that inn certain conditions, when the net.inet.ip.fw.dyn_keepalive=1 (sysctl), remote clients or other servers may not respond, and a new rule or dynamic rule is setup. turning this to 0 seemed to help. The effect (of having net.inet.ip.fw.dyn_keepalive=1) is that over time, hundreds of FIN_WAIT_2 tcp states occure. With some software, (vm-pop3d), it runs out of sockets, and I suspect the daemon does not know how to hadle this. So do a: sysctl net.inet.ip.fw.dyn_keepalive=0 and in about 10 minutes all FIN_WAIT_2 's dissappear. (well almost all). I expect it virtually shut down dynamic rules too in ipfw, but I have been reading more and more that people are saying don't use dynamics on a busy site. Anyone care to comment. -Grant ----- Original Message ----- From: "Tek Bahadur Limbu" To: "Grant Peel" Cc: Sent: Sunday, February 25, 2007 8:53 AM Subject: Re: Fw: FIN_WAIT_2 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Sun, 25 Feb 2007 05:23:20 -0500 > "Grant Peel" wrote: > >> my problem is that so many of my vm-pop3d processes get in that >> state that semi-frequently, we get locked out of downloading email. >> >> I kill all the vm-pop3d processes then we have to wait for all the >> FIN_WAIT_2 to die befor i can restart the vm-pop3d process. >> >> If I try to start vm-pop3d before all the FIN_WAIT_2 sockets die, I >> get a 'Can't bind to port" error. >> >> When I do the lsof thing it shows no files or processes connected to >> that port, or socket. > > Hi Grant, > > I also seem to getting the same problem as yours except that my server > is a Squid proxy running on FreeBSD 6.0. Using > > netstat -an | grep tcp | awk '{print $6}' | sort | uniq -c > > gives the following: > > 23 CLOSE_WAIT > 9 CLOSING > 3955 ESTABLISHED > 3342 FIN_WAIT_1 > 2604 FIN_WAIT_2 > 49 LAST_ACK > 15 LISTEN > 16 SYN_SENT > 148 TIME_WAIT > > Then I start to get the following in my squid logs: > > 2007/02/25 17:10:37| comm_open: socket failure: (55) No buffer space > available > > I tried by setting the variable net.inet.ip.fw.dyn_keepalive=0 but it > didn't help that much. > > It is only after I stop Squid for about 20-30 seconds and restart it, > will the number of connections start to drop. > > I think that the best way to tackle this problem is by using a firewall > to rate-limit the number of connections per IP per time. > > >> >> -Grant >> >> > ----- Original Message ----- >> > From: "Christian Walther" >> > To: "Grant Peel" >> > Cc: >> > Sent: Saturday, February 24, 2007 9:53 AM >> > Subject: Re: FIN_WAIT_2 >> > >> > >> >> On 24/02/07, Grant Peel wrote: >> >>> Hi all, >> >>> >> >>> Just wondering if anyone has found / knows of a way to kill >> >>> sockets that are stuck in FIN_WIAT_2 state - without rebooting >> >>> the server. >> >>> >> >>> When I kill the processes (in this case the pop3 server) that >> >>> allows the connection, it still takes about 3 hours for the >> >>> socket to time out and die. >> >> >> >> What is your problem with sockets being in this state? Normaly they >> >> don't consume any resources that would lead to performance >> >> problems. As you say, they die eventually. >> >> Sockets in this state are no problem, it's just that the client >> >> failed to sent the last ACK to the server, which would finally >> >> close the communication. >> >> >> >> >> > >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" >> > > > - -- > > > With best regards and good wishes, > > Yours sincerely, > > Tek Bahadur Limbu > > (TAG/TDG Group) > Jwl Systems Department > > Worldlink Communications Pvt. Ltd. > > Jawalakhel, Nepal > > http://www.wlink.com.np > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (FreeBSD) > > iD8DBQFF4ZTAVrOl+eVhOvYRAmWsAJ48mBKXDDYPIB+9Whgq2kl51JvIvACdHvR/ > T73CpykghiHwlVZ4yCKxJE0= > =UDbN > -----END PGP SIGNATURE----- > >