TCP tuning

From: Marc Girod (girod_at_shire.ntc.nokia.com)
Date: 10/27/04

• Next message: Security Alert: "SSRT3622 rev.4 HP-UX Bind v920 Denial of Service (DoS)"
• Previous message: Marcin 'Rambo' Roguski: "Re: WTB/WTG; Unusable HPPA CPU"
• Next in thread: Rick Jones: "Re: TCP tuning"
• Reply: Rick Jones: "Re: TCP tuning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 27 Oct 2004 10:08:46 GMT

Hello,

We are trying to optimize some host for use as ClearCase shipping
servers. In this job, they are dedicated to receive and forward
packets of variable size over tcp, through firewalls, often too
distant destinations.

We are currently looking at tcp parameters, after noticing in the
output of "netstat -a | grep shipping" that many of our dedicated
ports remain for long in 'TIME_WAIT' state (also 'FIN_WAIT_2' and
maybe others).

We looked more precisely (and modified) at:

# ndd -get /dev/tcp tcp_time_wait_interval
60000
# ndd -set /dev/tcp tcp_time_wait_interval 10000

and noticed also:

tcp_rexmit_interval_initial 1500
tcp_rexmit_interval_max 60000

We found some hints in a k-mine page suggeting that the 'max' value
could be changed too, and that tcp_time_wait_interval should be an
integer multiple of the 'initial' value.

On an other hand, we guessed that:

TJ> After digging deeper into TIME_WAIT issue, it probably has no
TJ> (big) impact in this case. Shipping_server seems to be clever
TJ> enough to mark tcp ports as "reusable", so altough there are many
TJ> ports/connections in TIME_WAIT state, the ports can still be
TJ> reused immediately by new connections.

TJ> For example in the following listing there are many TIME_WAIT's on
TJ> a port "shipping59", but the same port is also in a LISTEN state,
TJ> ready for new connections.

Any insights on these issues?

-- 
Marc Girod        P.O. Box 323        Voice:  +358-71 80 25581
Nokia BI          00045 NOKIA Group   Mobile: +358-50 38 78415
Valimo 21 / B616  Finland             Fax:    +358-71 80 64474

• Next message: Security Alert: "SSRT3622 rev.4 HP-UX Bind v920 Denial of Service (DoS)"
• Previous message: Marcin 'Rambo' Roguski: "Re: WTB/WTG; Unusable HPPA CPU"
• Next in thread: Rick Jones: "Re: TCP tuning"
• Reply: Rick Jones: "Re: TCP tuning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: NFS inconsistent behaviour ... of tcp connections in TIME_WAIT state. ... Why there are so many connections in waiting state? ... and remote port so the ports stay in use for a few minutes. ... I ran out of privileged ports due to treemounting on /net from about 50 ... (Linux-Kernel) Re: NFS inconsistent behaviour ... of tcp connections in TIME_WAIT state. ... Why there are so many connections in waiting state? ... and remote port so the ports stay in use for a few minutes. ... I'd switch to NFS over udp if this is problem. ... (Linux-Kernel) Re: can I use keep-state for icmp rules? ... if you're like me and allow incoming established connections to any port, ... unless he connects withough sending a "connect" packet first - ie ... >> the impression that ipfwactually tracks the state of TCP ... > internal tcp ports that might not normally have external access available? ... (FreeBSD-Security) Re: Confused newbie ... TCP 192.168.1.3:1045 64.12.25.84:5190 ESTABLISHED ... and configuring zone alarm to make sure my home network is secure. ... > are protected and my ports dont exist and are in stealth mode. ... > listening and some have established connections to ip's/ports. ... (alt.computer.security) Re: R2 in-place upgrade bug ? ..HELP ... Application protocol Protocol Ports ... Global Catalog Server TCP 3269 ... The upgraded R2 DC does not accept incoming connections, ... (microsoft.public.windows.server.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint