WEB server TCP: timewaitbuckettableoverflow error troubleshooting

WEB server TCP: timewaitbuckettableoverflow error check log inspection found that the company's web server has always reported an error, information: Jul515: 40: 37 mailkernel: printk: 272messagessuppressed. Jul515: 40: 37mailk...
WEB server TCP: time wait bucket table overflow error check log inspection found that the company's web server has been reporting an error, the information is as follows: Jul 5 15:40:37 mail kernel: printk: 272 messages suppressed. jul 5 15:40:37 mail kernel: TCP: time wait bucket table overflowJul 5 15:40:37 mail kernel: TCP: time wait bucket table overflowJul 5 15:40:43 mail kernel: printk: 92 messages suppressed. jul 5 15:40:43 mail kernel: TCP: time wait bucket table overflow (TCP: time wait bucket table) www. 2cto.com according to the error message, you need to change the kernel parameter net. ipv4.tcp _ max_tw_buckets. This parameter is the maximum number of timewait sockets that the system maintains at the same time. If this number is exceeded, the time-wait socket is immediately cleared and a warning message is printed. This restriction is only used to prevent simple DoS attacks. you must not rely too much on it or manually reduce this value. if the network actually needs to be larger than the default value, this value should be increased (if the memory is increased ). Solution: increase the value of tcp_max_tw_buckets. the smaller the value, the better. I have seen that most of TIME_WAIT in my system is generated by php-fpm, the maximum number of timewait sockets processed by the system at the same time. If this number is exceeded? The time-wait socket is immediately cut down and a warning message is displayed. Is this restriction set? Simply to defend against those simple DoS attacks? Do not artificially reduce this restriction? But? If more network conditions are required than default values? You can increase it (or increase the memory ). Netstat-an | grep 9000 | awk '{print $6}' | sort | uniq-c | sort-rnnetstat-an | grep 80 | awk '{print $6}' | sort | uniq-c | sort-rn www.2cto.com troubleshooting steps: 1. view the network connection status of the server. [root @ mail ~] # Netstat-pant | awk '/^ tcp/{++ state [$6]} END {for (key in state) printf ("%-10s \ t % d \ n", key, state [key])} 'Time _ WAIT 4944CLOSE_WAIT 1FIN_WAIT1 93FIN_WAIT2 66 ESTABLISHED 292SYN_RECV 29 CLOSING 32LAST_ACK 9 LISTEN 14 [root @ mail ~] # Www.2cto.com 2. check the kernel parameter vi/etc/sysctl. conf. ipv4.tcp _ max_tw_buckets = 5000 changed to: net. ipv4.tcp _ max_tw_buckets = 10000 3. make the changed kernel parameters take effect sysctl-p 4. view the network connection status of the server again; [root @ mail ~] # Netstat-pant | awk '/^ tcp/{++ state [$6]} END {for (key in state) printf ("%-10s \ t % d \ n", key, state [key])} 'Time _ WAIT 6644 CLOSE_WAIT 1FIN_WAIT1 93FIN_WAIT2 66 ESTABLISHED 292SYN_RECV 29 CLOSING 32LAST_ACK 9 LISTEN 14 5. # Check the/var/log/messages and dmesg information again. no error is reported. ipv4.tcp _ max_tw_buckets = 10000 currently, www.2cto.com 6 is enough. the cause is that the number of TCP connections on the server exceeds the maximum number defined by the kernel.