Re: Dropped connections with tcp_tw_recycle=1

Sven, tcp_tw_recycle is incompatible with NAT on the server side ... because it will enforce the verification of TCP time stamps. Unless all clients behind a NAT (actually PAD/masquerading) device use identical timestamps (within a certain range), most of them will send invalid TCP

Re: Dropped connections with tcp_tw_recycle=1

Nils Goroll wrote: The outer conditional verifies that the incoming SYN has a timestamp, that tcp_tw_recycle is enabled, and that the origin exists in our peer cache. Note that it only checks the IP of the origin. Doesn't it make sense to also match on port? My understanding is that the

Re: Dropped connections with tcp_tw_recycle=1

Sven, Right, you're saying that the srcaddr+srcport pair of a connection in TIME_WAIT should not be reused under this scheme (i.e. the SYN can be dropped), and I agree. Then I don't understand why a new connection originating from a *different* source port (although from the same source IP)

Re: Dropped connections with tcp_tw_recycle=1

Hi Michael and all, tcp_tw_recycle is incompatible with NAT on the server side ... because it will enforce the verification of TCP time stamps. Unless all clients behind a NAT (actually PAD/masquerading) device use identical timestamps (within a certain range), most of them will send

Re: Dropped connections with tcp_tw_recycle=1

Nils Goroll wrote: tcp_tw_recycle is incompatible with NAT on the server side ... because it will enforce the verification of TCP time stamps. Unless all clients behind a NAT (actually PAD/masquerading) device use identical timestamps (within a certain range), most of them will send invalid

Re: Dropped connections with tcp_tw_recycle=1

Hi Sven, I don't know the basis precise for it, but I can vouch for the fact that tcp_tw_recycle is incompatible with NAT on the server side. I would guess it is because the NAT gateway keeps a connection tracking list and is unhappy that the webserver is trying to reuse the same ip:port hash

Re: Dropped connections with tcp_tw_recycle=1

On Sep 20, 2009, at 6:20 AM, Nils Goroll wrote: tcp_tw_recycle is incompatible with NAT on the server side ... because it will enforce the verification of TCP time stamps. Unless all clients behind a NAT (actually PAD/masquerading) device use identical timestamps (within a certain

Dropped connections with tcp_tw_recycle=1

I was recently debugging an issue where several clients experienced sporadic problems connecting to a website cached by varnish. Every now and then (say, something like every 20-50th TCP connection) would time out, or sometimes take a few SYNs before being accepted. Here's a typical example. It's