Hi,
I have an issue with our Fedora Consumers running 1.2.0 on Fedora 10 in that they don't seem to be closing old connections and so the open connections are building up until performance is impacted and eventually we run out of file handles.
Looking at one consumer netstat is showing 711 Established connections to port 389 from a Radius server, and the console is also reporting over 700 "Open Connections". Yet on the Radius server I see 3 Established connections which is what I would expect. It seems each time the Radius server restarts (which it does often to pickup config changes) then the old connections timeout on the Radius server but remain Established on the Fedora side. We do see the same behaviour from other services such as mail and web servers but Radius is the worst due to it restarting regularly.
On the console I have currently configured an Idle Timeout of 300 seconds and added timeout config to the Fedora OS:
tcp_keepalive_time = 600 tcp_keepalive_intvl = 75 tcp_keepalive_probes = 9
Why are these connections not timing out after the Idle time? At the moment I am having to regularly restart the directory service in order to clear the connections down.
Thanks.
Jim.
I have an issue with our Fedora Consumers running 1.2.0 on Fedora 10 in that they don't seem to be closing old connections and so the open connections are building up until performance is impacted and eventually we run out of file handles.
... cut
tcp_keepalive_time = 600 tcp_keepalive_intvl = 75 tcp_keepalive_probes = 9
Why are these connections not timing out after the Idle time? At the moment I am having to regularly restart the directory service in order to clear the connections down.
Hi Jim, I have not yet run into such issues ... which is not to say I won't. Our tcp_keepalive_time is set to 300, whether that will make a difference is difficult to say but worth a try I would say.
Best Regards
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
Hi,
you may have a (software/hadrware) firewall or switch/load balancer issue between ldap server and other servers. Some firewalls and switches don't let the RSET packets pass correctly. I've seen such a thing once between a database server and the web server. It was a hardware firewall (and switch) problem. If it's not a frewall/switch problem you should also reduce nsslapd-idletimeout of cn=config
A part of our sysctl.conf file on 389 server is very similar to yours, so the problem is not in the kernel config: # The total session drop time will be (net.ipv4.tcp_keepalive_time + net.ipv4.tcp_keepalive_probes*net.ipv4.tcp_keepalive_intvl) # Time of session inactivity when the kernel will start to send probe packets net.ipv4.tcp_keepalive_time = 1200 # How long the kernel waits in between probes net.ipv4.tcp_keepalive_intvl = 30
We have three 389DS v1.2.6 on x86_64 servers, each one having ~100 parallel sessions, ~50000 connections and more than million searches per day, and absolutely no problem with lingering tcp connecs. Among the services using the LDAP we have also FreeRadius...
2010/9/22 Jim Tyrrell jim@scusting.com
On the console I have currently configured an Idle Timeout of 300 seconds and added timeout config to the Fedora OS:
tcp_keepalive_time = 600 tcp_keepalive_intvl = 75 tcp_keepalive_probes = 9
Why are these connections not timing out after the Idle time? At the moment I am having to regularly restart the directory service in order to clear the connections down.
Thanks.
Jim.
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org