|
>
> Hello,
>
> On Tue, 20 Mar 2001, Joseph Mack wrote:
>
> > Henrik,
> >
> > I'm trying to reproduce this problem here. I don't have a client
> > than can produce this many inActConn. Using Julian's testlvs I can only
> > get about 500. I Henrik has a production LVS with many clients
>
> 500 is a very big value. testlvs is very restrictive and its
> default values prevent errors. By default testlvs sends from 254
> different sources. If you change -srcnum you may overload your LAN :)
>
> > from outside.
> >
> > Any better client I can try?
> >
> > You are just looking with ipvsadm and ipchains on the director? (just
> > so I can reproduce what you are doing)
> >
> > Julian,
> >
> > How do you do ipchains -M -L with iptables?
>
> ipvsadm -Lcn
> Not sure for such support in iptables
>
> > Joe
>
>
> Regards
>
> --
> Julian Anastasov <ja@xxxxxx>
>
Hi,
(lvs 0.9.14, kernel 2.2.17)
i managed to get a lower expire time.
an ipchains -M -S 1200 20 0 was not enough.
I did an "sysctl -w net.ipv4.vs.secure_tcp=3"
and "sysctl -w net.ipv4.vs.timeout_timewait=20"
that did what we want ...The expire time is now set to 20
seconds. The question is now, what exactly does secure_tcp=3 ?
"http://www.linuxvirtualserver.org/defense.html"; says only a little
about it. Didnt quite figured it out what its all about...
with this lower expire time, we get a far lower amount of "inactconn"
and it seems to be everything allright...
net.ipv4.vs.timeout_icmp = 60
net.ipv4.vs.timeout_udp = 180
net.ipv4.vs.timeout_synack = 100
net.ipv4.vs.timeout_listen = 90
net.ipv4.vs.timeout_lastack = 30
net.ipv4.vs.timeout_closewait = 60
net.ipv4.vs.timeout_close = 10
net.ipv4.vs.timeout_timewait = 20
net.ipv4.vs.timeout_finwait = 10
net.ipv4.vs.timeout_synrecv = 10
net.ipv4.vs.timeout_synsent = 60
net.ipv4.vs.timeout_established = 1200
net.ipv4.vs.secure_tcp = 3
net.ipv4.vs.drop_packet = 0
net.ipv4.vs.drop_entry = 0
net.ipv4.vs.am_droprate = 10
net.ipv4.vs.amemthresh = 1024
these are our settings right now...anything not recommanded ?
with "ab -n 3000 -c 1024 <url>" (apachebench with 3000requests
and 1024 concurrent
connections) we got 50-60 active connections and 500-600
inactconnections.....with -c above 1024 we get an "socket: too
many open files error" client side error i think...
The interesting thing to know is, what are the Limits for the LVS
(with NAT)...The number of available sockets? 65535 simultanous
connections? the memory ? the masq table?
we did not have it in production yet (saturday i think). If something
goes wrong we have a Bigip
as backup system :) ...but only for backup ...
cu ...
Hendrik Thiel
Falk eSolutions AG
Tel: 02841/9097355
Fax: 02841-9097331
|
