|
On Sun, 13 Jun 1999, Wensong Zhang wrote:
> Christopher Seawood wrote:
> > ipchains -M -S 5 5 5
> >
>
> The timeout is in seconds. If you set the timeout of TCP, TCPFIN
> and UDP to 5 seconds, 5 seconds and 5 seconds, I think they are
> too short. Under realistic Internet load, most Internet connections
> last longer than 5 seconds. Please try to set them to 5min, 1min
> and 5min respectively, such as
> ipchains -M -S 300 60 300
> Then check whether the entry of huge timeout still exists.
I even went as far as to not invoke that ipchains rule at all (using the
kernel defaults of 900 120 300). It didn't improve the huge timeout
situation at all. In fact, it seemed to be worse because not only did we
have the huge entries that never timed out but the ones that do timeout
still take longer than is necessary.
I was notified that a PO for LocalDirector was put in today. Apparently,
someone feels that we're getting enough hits to justify the cost. :-/
Some more stats:
our primary vs which has been up for 11 hrs using timeouts of 30,
30, 30 has 5602 entries in its masq table, 1532 of which will "never"
timeout, and 800 that are marked as active.
a secondary vs has been up for 2.5 hrs using timeouts of 300 60 300 has
3521 entries, 228 of which will "never" timeout and 645 marked as active.
Regards,
Christopher
|
