Time_wait
After a TCP/IP connection is established between the client and the server, the port status of the server-side connection is time_wait after the socket is closed. The actively closed party after sending the last ACK
Will enter the TIME_WAIT state to stay 2MSL (max segment lifetime) time
This is a TCP/IP is essential, that is, the "solution" is not the TCP/IP designer was originally designed to
There are two main reasons
1. Prevent packages in the last connection, re-emerge after getting lost, affect new connections
(After 2MSL, all duplicate packets in the last connection will disappear)
2. Reliable shutdown of TCP connections
The last ACK (FIN) sent at the active shutdown is likely to be lost, when the passive side will resend fin, and if the active side is in the CLOSED state, it will respond to RST rather than ACK. So the active side should be in the TIME_WAIT state, but not CLOSED.
Time_wait does not occupy a significant amount of resources unless it is under attack.
Also, if a party send or recv timeout, it will go directly into the CLOSED state
Netstat-an
Look under and discover that there are many time_wait connections in the system. So just use the command to see the details.
Netstat-n | awk '/^tcp/{++s[$NF]} END {for (a in S) print A, s[a]} '
The specific way to solve
vim/etc/sysctl.conf
Net.ipv4.tcp_syncookies = 1
Indicates that SYN cookies are turned on. When a SYN wait queue overflow occurs, cookies are enabled to protect against a small number of SYN attacks, which defaults to 0, which means close
Net.ipv4.tcp_tw_reuse = 1
means to turn on reuse. Allows time-wait sockets to be re-used for new TCP connections, which defaults to 0, which means shutdown;
Net.ipv4.tcp_tw_recycle = 1
Represents a fast recycle of the time-wait sockets on a TCP connection, which defaults to 0, which indicates a shutdown
Net.ipv4.tcp_fin_timeout = 30
Modify the default timeout time for the system
/SBIN/SYSCTL-P//Effective after saving
At present, the best way is to get each time_wait to expire early.
This can be configured on Linux:
#让TIME_WAIT状态可以重用 so that even if time_wait fills all ports, it will not deny new requests as a barrier
echo "1" >/proc/sys/net/ipv4/tcp_tw_reuse
#让TIME_WAIT尽快回收, I don't know how long it's been, observation is about a second
echo "1" >/proc/sys/net/ipv4/tcp_tw_recycle
# View system local available port limit value
cat /proc/sys/ Net/ipv4/ip_local_port_range
Using this command will return two numbers, the default is: 32768 61000, indicating that the machine can be externally connected to 61000-32768 = 28,232 connections, note that the local outward connection, not all the connection of this machine, will not affect the number of external connections of 80 ports of this machine. But this number will affect the proxy server (nginx) The maximum number of connections to the app server, because Nginx to the app is asynchronous transmission, so the link is fast, so the accumulation of connections is very small. If Nginx has a problem with the bandwidth between the app servers or the app server, then the connection may accumulate, then you can set Nginx proxy timeout time, so that the connection as soon as possible to release, in general, very few can use 28,232 connections.
Time_wait Too many workarounds [reprint]