Re: High numer tcp closed and timewait

From: Willy Tarreau <w#1wt.eu>
Date: Tue, 13 Jul 2010 21:10:04 +0200


Hi,

On Tue, Jul 13, 2010 at 11:22:45AM +0200, ??ukasz Jagie????o wrote:
> Hi,
>
> >From some time now I see high number tcp close and timewait.
>
> #v+
> lb-01 ~ # free
> total used free shared buffers cached
> Mem: 4046308 1348228 2698080 0 363184 571832
> -/+ buffers/cache: 413212 3633096
> Swap: 2096440 0 2096440
> #v-
> #v+
> lb-01 ~ # ss -s
> Total: 1732 (kernel 1834)
> TCP: 94808 (estab 574, closed 93166, orphaned 171, synrecv 0,
> timewait 93163/0), ports 5048
>
> Transport Total IP IPv6
> * 1834 - -
> RAW 0 0 0
> UDP 13 13 0
> TCP 1642 1642 0
> INET 1655 1655 0
> FRAG 0 0 0
> #v-
>
> My sysctl looks like this:
>
> http://pastebin.com/DPvDv4xu
>
> Haproxy settings:
>
> #v+
> defaults
> log global
> mode http
> option httplog
> option dontlognull
> option redispatch
> option httpclose
> option srvtcpka
> option clitcpka
> option forwardfor
> balance roundrobin
> retries 3
> maxconn 8192
> timeout client 30s
> timeout connect 30s
> timeout server 30s
> #v-
>
> Rest config it's just fronend's backend's with acl but no more options.
>
> I'm wonder is it's possible to make that number of close/timewait
> lower or is it normal ?

Don't worry, it is perfectly normal. A closed connection must be kept for some time before being removed from the table so that late packets can be matched. In turn, they don't consume much memory (a few tens of bytes each). The number of closed/timewait connections you may see is approximately equal to the number of connections per second times the timewait timeout (60s by default).

I had a capture somewhere (but I can't find it right now) where I had 4 millions time-wait sockets on my desktop PC after a two minutes test ;-)

What you should care about are FIN_WAIT[1,2] sockets (generally meaning the other side went away without being able to close), and CLOSE_WAIT (which are generally observed on servers when a connection close is not properly caught). Having a few of them at a time for a short time is perfectly normal though.

Hoping this helps,
Willy Received on 2010/07/13 21:10

This archive was generated by hypermail 2.2.0 : 2010/07/13 21:15 CEST