Is that not all sockets that perform the active shutdown will enter the TIME_WAIT state? Is there any case that the active closed socket directly into the closed state? The answer is that one of the active shutdown after sending the last ACK will enter the TIME_WAIT state, and stay 2MSL (Max Segment LifeTime) time, this is the TCP/IP is essential, that is, "solve" not.
The designers of TCP/IP are designed this way for two main reasons:
to prevent packets from being lost in the last connection from appearing again, affecting new connections (after 2MSL of time, all duplicate packages in the last connection will disappear). The
to reliably turn off TCP connections. The last ACK (FIN) sent by the active shutdown may be lost, and if it is lost, the passive side will resend the fin, and if the active side is in the closed state, it will respond to RST instead of ACK. Therefore, the active party should be in the TIME_WAIT state, and not the closed state. In addition, Time_wait does not consume a large amount of resources unless attacked.
in the Squid server, you can enter a command to view the current connection statistics, as follows:
| The code is as follows | Copy Code |
#netstat-n| awk '/^tcp/{++s[$NF]} end {for (a in S) print A, s[a]} ' |
|
CLOSED: No connection is active or in progress.
LISTEN: The server is waiting to enter the call.
SYN_RECV: A connection request has arrived and is awaiting confirmation.
Syn_sent: Application has started, open a connection.
Established: Normal data transfer status.
FIN_WAIT1: The application says it's done.
Fin_wait2: The other side has agreed to release.
CLOSING: Both sides try to close at the same time.
Time_wait: A release has been initialized on the other side.
Last_ack: Wait for all the groupings to die.
In other words, this command can subtotal the current system's network connection status.
In the high concurrency of the Squid server under Linux, TCP time_wait socket number can often reach twenty thousand or thirty thousand, the server can easily be towed to death. However, we can reduce the number of time_wait sockets on the Squid server by modifying the Linux kernel parameters, as shown in the following command:
| The code is as follows | Copy Code |
#vim/etc/sysctl.conf |
|
Then, add the following parameters:
| The code is as follows | Copy Code |
#适用于Squid服务器 |
|
The meanings of the parameters are as follows:
Net.ipv4.tcp_syncookies=1 said to open syn Cookies. When the SYN wait queue overflows, cookies are enabled for processing to protect against a small number of SYN attacks. The default is 0, which means close.
Net.ipv4.tcp_tw_reuse=1 indicates open reuse. Allows time-wait sockets to be used again for new TCP connections. The default is 0, which means close.
Net.ipv4.tcp_tw_recycle=1 represents a quick recovery of time-wait sockets in a TCP connection. The default is 0, which means close.
NET.IPV4.TCP_FIN_TIMEOUT=30 indicates that if the socket is closed by the local end, this parameter determines how long it remains in the fin-wait-2 state.
NET.IPV4.TCP_KEEPALIVE_TIME=1200 represents the frequency with which TCP sends KeepAlive messages when KeepAlive is enabled. The default is 2 hours, and this is 20 minutes.
net.ipv4.ip_local_port_range=1024 65000 represents the port range for an outward connection. The default value is small: 32768~61000, change to 1024~65000.
The net.ipv4.tcp_max_syn_backlog=8192 represents the length of the SYN queue, defaults to 1024, increases the queue length to 8192, and can accommodate more network connections waiting to connect.
NET.IPV4.TCP_MAX_TW_BUCKETS=5000 indicates that the system maintains the maximum number of time_wait sockets at the same time, and if this number is exceeded, the time_wait socket is immediately cleared and the warning message is printed. The default is 180000, and 5000 is changed. For Apache, Nginx and other servers, the previous introduction of several parameters can be very good to reduce the number of time_wait sockets, but for squid, the effect is not small. With this parameter you can control the maximum number of time_wait sockets, to avoid squid server by a large number of time_wait socket drag dead.
Perform the following command to have the kernel configuration take effect immediately:
| The code is as follows | Copy Code |
| #/sbin/sysctl-p |
|
If you are a Web server for Apache or Nginx, or a nginx reverse proxy, you only need to change the following:
| The code is as follows | Copy Code |
|
|
If it is a mail server, it is recommended that the kernel scenario be as follows:
| The code is as follows | Copy Code |
| #适用于邮件服务器 Net.ipv4.tcp_fin_timeout = 30 Net.ipv4.tcp_keepalive_time = 300 Net.ipv4.tcp_tw_reuse = 1 Net.ipv4.tcp_tw_recycle = 1 Net.ipv4.ip_local_port_range = 5000 65000 Kernel.shmmax = 134217728 |
|
Finally remember that the Execute sysctl-p command City kernel configuration takes effect:
| code is as follows | copy code |
| #/sbin/ Sysctl-p |
|
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
