nginx not responding to some SYN packets
is at rambler-co.ru
Tue Feb 10 10:02:09 MSK 2009
On Mon, Feb 09, 2009 at 01:51:12PM -0800, Radek Burkat wrote:
> I have been looking at this issue to try to understand the interactions and
> this is what I have found out so far.
> I can reproduce the issue by decreasing the net.ipv4.tcp_max_syn_backlog
> and setting net.ipv4.tcp_syncookies = 0. It makes sense that when the load
> gets a little high the system does not process the accept fast enough and
> the backlog builds up. When the backlog fills up the ACK to the initial SYN
> is not issued.
> It would seem also that enabling syncookies uses some other mechanism as I
> do not see the dropped connections when I have net.ipv4.tcp_syncookies = 1
> and back log to some small value like net.ipv4.tcp_max_syn_backlog =10.
> From what I read so far is that syncookies goes into action when you hit a
> certain high water mark on your backlog buffer. Raising the backlog value
> and/or enabling syncookies seems like a good idea.
> You can look at how many connection are in the backlog with net stat.
> netstat -aln | grep -c SYN_RECV
> The problem here is that this gives you and instantaneous count of the
> backlog. As you can imagine this backlog is getting filled and cleared at a
> high rate. It would be nice to know when this actually gets full or even
> what the max has been over a period of time. Is there a stat like this in
> net statistics?
> This information seems like it is quite important in determining the
> performance of your server latency.
> In nginx there is the optional backlog variable in the listen configuration.
> I imagine that this maps directly to the system call listen. Though I see
> that the nginx backlog default is -1. How does that translate to the system
> parameter which requires an in above 0.
Yes, backlog may affect this. However, it seems that you run very old
nginx as it had been fixed in 2007:
Changes with nginx 0.6.7 15 Aug 2007
Changes with nginx 0.5.32 24 Sep 2007
*) Bugfix: now nginx uses default listen backlog value 511 on all
platforms except FreeBSD.
Thanks to Jiang Hong.
Now -1 is used on FreeBSD only and it means the maximum available backlog.
Besides, net.ipv4.tcp_max_syn_backlog = 10 is too small.
Also, when kernel has no enough backlog, it usually response with
RST packet, if this is not disabled.
> On Wed, Feb 4, 2009 at 12:29 AM, Olivier B. <nginx.list at daevel.fr> wrote:
> > Hello,
> > have you tried to disable syncookies and/or adjust them ?
> > On the varnish documentation (
> > http://varnish.projects.linpro.no/wiki/Performance ) there is at least
> > this setup (in /etc/sysctl.conf) :
> > net.ipv4.tcp_syncookies = 0
> > net.ipv4.tcp_max_orphans = 262144
> > net.ipv4.tcp_max_syn_backlog = 262144
> > net.ipv4.tcp_synack_retries = 2
> > net.ipv4.tcp_syn_retries = 2
> > and what about netfilter connection tracking ?
> > Olivier
> > Radek Burkat a ?crit :
> >> Thanks Igor, for eliminating one variable for me. I noticed that when I
> >> use a single worker and set the affinity to the same core as the ethernet
> >> interface interrupt I decrease the frequency of the issue but do not
> >> eliminate it. Not sure
> >> Are there any kernel/network debugging tools which reach a little deeper
> >> than tcpdump?
> >> Radek
> >> On Tue, Feb 3, 2009 at 10:11 PM, Igor Sysoev <is at rambler-co.ru <mailto:
> >> is at rambler-co.ru>> wrote:
> >> On Tue, Feb 03, 2009 at 10:07:27PM -0800, Radek Burkat wrote:
> >> > Have a machine running the latest devel version nginx-0.7.33
> >> (tried 0.6.35
> >> > with same results) for serving small (less than 10K images) and
> >> am seeing on
> >> > tcpdump that some SYN packets are not responded to right
> >> away.The browser
> >> > does retransmit these image requests every second and on the 2nd
> >> or 3rd
> >> > resent SYN, I finally start seeing and ACK, and the images load.
> >> > It is very indeterministic as to when it happens and can only
> >> reproduce it
> >> > some of the time. When it does occur the outcome is a page with
> >> some images
> >> > loaded and others (whose SYN packets are not ACKs) are not
> >> loaded.....a few
> >> > seconds later they load.
> >> > Typically the system has ~2000 active connections, most in keep
> >> alive. The
> >> > load is around 100-200 req/sec.
> >> >
> >> > I have tries all sorts of settings and configurations suggested
> >> in the
> >> > maillist but I still dont have the solution for this issue.
> >> from 1 to 4
> >> > workers, changing the connection counts, different even
> >> handlers, kernel
> >> > buffers, etc.
> >> > It just seems so anecdotal to just change a bunch of settings
> >> without being
> >> > able to what is happening internally.
> >> > I'd like to be able to debug a little deeper to find out what is
> >> happening
> >> > to these packets.
> >> >
> >> > How would I go about debugging what is the cause of it. Is it
> >> the interface
> >> > driver, kernel, or nginx? What kind of tools and debugging
> >> options can I
> >> > try next?
> >> nginx has not any relation to TCP handshake (SYN, SYN/ACK, ACK),
> >> this is kernel or driver issue.
> >> > Thanks, Radek
> >> >
> >> >
> >> > System Details
> >> > model name : Intel(R) Xeon(R) CPU X3210 @ 2.13GHz
> >> > Linux n06 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 12:03:43 EST 2008
> >> i686 i686
> >> > i386 GNU/Linux
> >> > eth0
> >> > Advertised auto-negotiation: Yes
> >> > Speed: 1000Mb/s
> >> > Duplex: Full
> >> > Port: Twisted Pair
> >> > PHYAD: 1
> >> > Transceiver: internal
> >> > Auto-negotiation: on
> >> > Supports Wake-on: g
> >> > Wake-on: d
> >> > Current message level: 0x000000ff (255)
> >> > Link detected: yes
> >> > driver: tg3
> >> > version: 3.86
> >> > firmware-version: 5721-v3.61, ASFIPMI v6.21
> >> > bus-info: 0000:05:00.0
> >> >
> >> > avg-cpu: %user %nice %system %iowait %steal %idle
> >> > 0.10 0.00 0.20 2.43 0.00 97.27
> >> > Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s avgrq-sz avgqu-sz
> >> await svctm
> >> > %util
> >> > sda 0.00 0.00 27.40 0.00 443.20 0.00 16.18 0.10 3.50 3.32 9.10
> >> > no overruns or errors on interface.
> >> --
> >> Igor Sysoev
> >> http://sysoev.ru/en/
More information about the nginx