Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 04 Mar 2015 02:41:07 +0100
From:      "Michael Ross" <gmx@ross.cx>
To:        "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org>, "Rumen Telbizov" <telbizov@gmail.com>
Subject:   Re: Stale TIME_WAIT tcp connections
Message-ID:  <op.xux9mtx6g7njmm@michael-think.fritz.box>
In-Reply-To: <CAENR%2B_U2H9Vf1xNjOGEsc0BuLhpTNL0iz81p5qDUxS_kdvfX5w@mail.gmail.com>
References:  <CAENR%2B_U2H9Vf1xNjOGEsc0BuLhpTNL0iz81p5qDUxS_kdvfX5w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 04 Mar 2015 01:36:18 +0100, Rumen Telbizov <telbizov@gmail.com> =
 =

wrote:

> Hello everyone,
>
> We have a server running 9.3-RELEASE which is exhibiting a high number=
 of
> TIME_WAIT tcp connections which are NOT being recycled. That is, netst=
at
> reports them over and over again, no matter how long we wait for them =
to  =

> be
> flushed out. Currently this server has been out of rotation for a coup=
le  =

> of
> hours and I still see the same tcp sockets there. Overall we have:
>
> # netstat -na | grep TIME_WAIT | wc -l
>    *30066*
>
> Tracking one particular TCP socket in TIME_WAIT proves that it stays  =

> there
> all the time.
>
> Another observation is that pfctl shows a very large number of state
> entries, even after pfctl -F all, or disable/enable sequence.
>
> # pfctl -si
> State Table                          Total             Rate
>   current entries                    *59280*
>
> At the same time though:
>
> # pfctl -ss | wc -l
>       18
>
> After the problem was discovered we tried tweaking the following setti=
ngs
> without any luck:
>
> net.inet.tcp.fast_finwait2_recycle=3D1
> net.inet.tcp.finwait2_timeout=3D5000
> net.inet.tcp.maxtcptw=3D50000
> net.inet.tcp.msl=3D100
>
> =E2=80=8BSo it seems like this system is "stuck" and =E2=80=8Bdoesn't =
recycle those TCP
> sockets. Again, the machine is out of rotation and not actively accept=
ing
> any traffic. I will keep it like that in case further investigation is=

> required. Please do let me know if there's anything else you'd like to=
  =

> know
> from the state of the machine or something I could try.
>
> =E2=80=8BRegards,

Are you using any IPSEC?
I observed something similar a while back, haven't checked again since i=
  =

reported this.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D194690
Affected 9.2, too.

Michael

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.xux9mtx6g7njmm>