Modify

Opened 5 years ago

Last modified 4 years ago

#12976 new enhancement

default nf_conntrack_tcp_timeout_established too short

Reported by: chaujc+openwrt@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

I know that the default value for net.netfilter.nf_conntrack_tcp_timeout_established was shortened from 5 days (432000 seconds) to 1 hour (3600 seconds) in response to ticket #8865. However, I believe that this shorter timeout is too short.

By default (on a Linux system), net.ipv4.tcp_keepalive_time is 7200 seconds. This is the interval of time between the when last data packet was sent for the connection and when a keep-alive packet is sent.

Setting nf_conntrack_tcp_timeout_established (3600) to less than tcp_keepalive_time (7200) causes the connection to terminate before the (Linux) hosts at the ends of the connection get a chance to keep keep the connection alive.

For example, with a longer nf_conntrack_tcp_timeout_established (e.g., 14400 seconds or 4 hours), an idle SSH session that isn't closed by its endpoints can remain open indefinitely, as intended by the endpoints. I believe that this behaviour is preferable to having a router in the middle terminate the connection before the endpoints are ready to do so, even if the connection is temporarily idle for an hour.

Please extend the default net.netfilter.nf_conntrack_tcp_timeout_established in /etc/sysctl.conf to at least 7875 seconds (= tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl = 7200 + 9 * 75 by default) to give the endpoints sufficient time to send keep-alive probes. I personally chose 14400 seconds.

Thanks!

Attachments (0)

Change History (3)

comment:1 Changed 4 years ago by anonymous

As a note, the suggested best practices recommends no less than 7440 seconds for an established connection. See http://tools.ietf.org/html/rfc5382#section-5

REQ-5: If a NAT cannot determine whether the endpoints of a TCP connection are active, it MAY abandon the session if it has been idle for some time. In such cases, the value of the "established connection idle-timeout" MUST NOT be less than 2 hours 4 minutes. The value of the "transitory connection idle-timeout" MUST NOT be less than 4 minutes.

comment:2 Changed 4 years ago by volkan-k@…

It may be better idea to change keep-alive settings to real-world values. My total timeout value here makes 1800 seconds after following the example @ http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/usingkeepalive.html

comment:3 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.