[syslog-ng]Problem with TCP connection not timing out

ARGEXT-HIDALGO, FRANCISCO syslog-ng@lists.balabit.hu
Tue, 28 Dec 2004 10:35:21 -0300 

Thanks for the response, I'll test it now, but the documentation says =
that this is the default behaviour, so I'm not sure if this will change =
anything.
On the other hand, shouldn't the OS drop these connections?, some of =
them have days there, and this monday, there where almost 40 dead =
connections that where "ESTABLISHED".


-----Original Message-----
From: syslog-ng-admin@lists.balabit.hu
[mailto:syslog-ng-admin@lists.balabit.hu]On Behalf Of Balazs Scheidler
Sent: Lunes, 27 de Diciembre de 2004 05:58 p.m.
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng]Problem with TCP connection not timing out


On Wed, 2004-12-22 at 17:16 -0300, ARGEXT-HIDALGO, FRANCISCO wrote:
> I'm really not sure what the problem is, I'm logging with a server in =
different countries and they send through TCP the logs to a central =
server. The problem I'm having is that the central server is not =
dropping TCP connections that no longer exist.
> As an example:
>=20
> CENTRAL SERVER:
> TCP
>    Local Address        Remote Address    Swind Send-Q Rwind Recv-Q  =
State
> -------------------- -------------------- ----- ------ ----- ------ =
-------
> CENTRAL.shell           syslogA.33969   5840      0 10136      0 =
ESTABLISHED
> CENTRAL.shell           syslogB.4930     5840      0 10136      0 =
ESTABLISHED
> CENTRAL.shell           syslogC.33924 24820      0  8760      0 =
ESTABLISHED
> CENTRAL.shell           syslogC.33925 24820      0  8760      0 =
ESTABLISHED
> CENTRAL.shell           syslogD.44925  5840      0 10136      0 =
ESTABLISHED
> CENTRAL.shell           syslogE.32783 24820      0  8760      0 =
ESTABLISHED
> CENTRAL.shell           syslogC.33926 24820      0  8760      0 =
ESTABLISHED
> CENTRAL.22              host.1624 51968      0 10136      0 =
ESTABLISHED
> CENTRAL.shell           syslogD.44934  5840      0 10136      0 =
ESTABLISHED
>=20
> SYSLOGC:
> TCP: IPv4
>    Local Address        Remote Address    Swind Send-Q Rwind Recv-Q  =
State
> -------------------- -------------------- ----- ------ ----- ------ =
-------
> syslogC.33926         CENTRAL.shell  8760      0 24820      0 =
ESTABLISHED
> SyslogC.22            host.4663            57920      0 24616      0 =
ESTABLISHED
>=20
>=20
> Notice that the active conection is the one from SyslogC port 33926, =
but CentralSyslog has 3 established connections (33924, 33925 and =
33926), 33924 is active since some days ago, but doesn't exist in the =
original server. The problem is that my total connections allowed start =
to fill up and then I can no longer connect.
> Any ideas on what could this be?

Maybe there were some network outages and the connection on the client
timed out, but as there are no packets for established connections
without traffic this connection remained in the server's connection
table.

A possible solution is to enable TCP keep-alive, which periodically
sends probes for established connections, and reports an error if the
peer does not react to a probe, you can enable this by setting
tcp-keep-alive option to yes, for example:

source s_tcp { tcp(port(2000) tcp-keep-alive(yes)); };

--=20
Bazsi




_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html