Thanks for the reply!
On Thu, Nov 22, 2001 at 10:12:47AM +0100, Henrik Nordstrom wrote:
> On Thursday 22 November 2001 08.59, Alain Fauconnet wrote:
>
> > ... it would "stop listening" to its port (3128) for a
> > length of time ranging from 1 to 15 minutes. It means that a telnet to
> > this port does *NOT* get connection refused, but the connection
> > doesn't establish either. It stops to "Trying...". Tcpdump shows the
> > SYN packet coming, then nothing else.
>
> Smells like your connection backlog queue is filled by some junk which does
> not get out of there..
>
> Try increasing the SYN backlog queue.
> echo NNN >/proc/sys/net/ipv4/tcp_max_syn_backlog
>
This one I've set to 128 already as written in my first posting.
> It could also help enabling the SYN flood defender mechanisms such as
> syncookies in the kernel..
>
> echo 1 >/proc/sys/net/ipv4/tcp_syncookies
This one is not set yet.
>
>
> A reliable way to diagnose if the SYN backlog is the problem is to not make
> the above changes and instead set up a second http_port. If Squid still
> accepts new connections on this second port when there is problems with the
> first then your problem is with 100% certainty the SYN backlog queue, and the
> above mechanisms (prefereably in combination) will solve your problem.
>
The SYN backlog queue is then a per-port resource, right ? (sorry if
that's a stupid question).
I'll try this and summarize.
Thanks again,
_Alain_
Received on Thu Nov 22 2001 - 02:22:32 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:25 MST