RE: [syslog-ng]Problem with TCP connection not timing out
Thanks for the response, I'll test it now, but the documentation says that this is the default behaviour, so I'm not sure if this will change anything. On the other hand, shouldn't the OS drop these connections?, some of them have days there, and this monday, there where almost 40 dead connections that where "ESTABLISHED". -----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Balazs Scheidler Sent: Lunes, 27 de Diciembre de 2004 05:58 p.m. To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Problem with TCP connection not timing out On Wed, 2004-12-22 at 17:16 -0300, ARGEXT-HIDALGO, FRANCISCO wrote:
I'm really not sure what the problem is, I'm logging with a server in different countries and they send through TCP the logs to a central server. The problem I'm having is that the central server is not dropping TCP connections that no longer exist. As an example:
CENTRAL SERVER: TCP Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------- CENTRAL.shell syslogA.33969 5840 0 10136 0 ESTABLISHED CENTRAL.shell syslogB.4930 5840 0 10136 0 ESTABLISHED CENTRAL.shell syslogC.33924 24820 0 8760 0 ESTABLISHED CENTRAL.shell syslogC.33925 24820 0 8760 0 ESTABLISHED CENTRAL.shell syslogD.44925 5840 0 10136 0 ESTABLISHED CENTRAL.shell syslogE.32783 24820 0 8760 0 ESTABLISHED CENTRAL.shell syslogC.33926 24820 0 8760 0 ESTABLISHED CENTRAL.22 host.1624 51968 0 10136 0 ESTABLISHED CENTRAL.shell syslogD.44934 5840 0 10136 0 ESTABLISHED
SYSLOGC: TCP: IPv4 Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------- syslogC.33926 CENTRAL.shell 8760 0 24820 0 ESTABLISHED SyslogC.22 host.4663 57920 0 24616 0 ESTABLISHED
Notice that the active conection is the one from SyslogC port 33926, but CentralSyslog has 3 established connections (33924, 33925 and 33926), 33924 is active since some days ago, but doesn't exist in the original server. The problem is that my total connections allowed start to fill up and then I can no longer connect. Any ideas on what could this be?
Maybe there were some network outages and the connection on the client timed out, but as there are no packets for established connections without traffic this connection remained in the server's connection table. A possible solution is to enable TCP keep-alive, which periodically sends probes for established connections, and reports an error if the peer does not react to a probe, you can enable this by setting tcp-keep-alive option to yes, for example: source s_tcp { tcp(port(2000) tcp-keep-alive(yes)); }; -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Tue, 2004-12-28 at 10:35 -0300, ARGEXT-HIDALGO, FRANCISCO wrote:
Thanks for the response, I'll test it now, but the documentation says that this is the default behaviour, so I'm not sure if this will change anything. On the other hand, shouldn't the OS drop these connections?, some of them have days there, and this monday, there where almost 40 dead connections that where "ESTABLISHED".
I'm sorry but no, the OS does not reap these connections. Some application layer timeout could solve the issue, though at the same time it might also cause other problems like message drops. Where did you read that it was default? <row> <entry>tcp-keep-alive()</entry> <entry>yes or no</entry> <entry> Available for tcp() only, and specifies whether to enable TCP keep alive messages using the SO_KEEPALIVE socket option. </entry> <entry>no</entry> </row> Nevertheless looking at the source it seems not to be enabled by default. But if you tell me a reference I'll fix the documentation. -- Bazsi
participants (2)
-
ARGEXT-HIDALGO, FRANCISCO
-
Balazs Scheidler