Dropped connections with tcp_tw_recycle=1
Nils Goroll
slink at schokola.de
Mon Sep 21 10:38:24 CEST 2009
Hi Michael and all,
>>> tcp_tw_recycle is incompatible with NAT on the server side
>>
>> ... because it will enforce the verification of TCP time stamps.
>> Unless all
>> clients behind a NAT (actually PAD/masquerading) device use identical
>> timestamps
>> (within a certain range), most of them will send invalid TCP
>> timestamps so SYNs
>> will get dropped.
>
> Since you seem pretty knowledgeable on the subject, can you please
> explain the difference between tcp_tw_reuse and tcp_tw_recycle?
I think I have understood the reason why tcp_tw_recycle does not work with NAT
connections, but I must say I haven't fully devoured the linux TCP
implementation to explain to you the design decisions regarding these two options.
The very basic idea is to re-use tcp connections in TIME_WAIT state, saving the
overhead of destroying and recreating TCP state. I remember that at one point I
had thought to have understood the difference, but I can't recall at the moment.
In short: I can tell you that you *must not* use tcp_tw_recycle for any machine
talking to machines behind masquerading firewalls (iow, only use it inside
isolated networks). But I cannot tell you what exactly it is supposed to do and
what the difference is to tcp_tw_reuse. If anyone finds out, please let me know
as well!
Nils
More information about the varnish-misc
mailing list