4.10, Jails, apache and FIN_WAIT_1

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Sep 19 04:42:37 PDT 2004 

On Sat, Sep 18, 2004 at 10:48:15PM +0100, Rob wrote:

> The problem is, I'm getting a lot of stalled connections when accessing the 
> webserver.  running netstat on the host shows e.g.:
> 
> 
> tcp4       0      0  jade.http     212.57.246.42.35590    FIN_WAIT_1
> tcp4       0      0  jade.http     212.57.246.42.35585    ESTABLISHED
> tcp4       0      0  jade.http     212.57.246.42.35555    CLOSING
> 
> This one is me - while this FIN_WAIT_1 is present, I cannot persuade my 
> browser (Opera 7.52 on Windows 2K) to work - it sits with "Sending request 
> to www..." in the status line.  Pressing refresh does nothing...  as soon 
> as the FIN_WAIT_1 vanishes, then everything is OK again, for a few more 
> minutes.

FIN_WAIT_1 means that the server is waiting for a FIN packet from the
client to signal that the TCP connection should be torn down.  There's
a few things to check:

    i) Do you have 'tcp_extensions="YES"' in /etc/rc.conf -- or the
       corresponding net.inet.tcp.rfc1323 sysctl set to 1?  That turns
       on the RFC1323 extensions.  Now, RFC1323 has been around long
       enough that just about everything should support it nowadays.
       Try toggling the setting -- turning it off may well make things
       slower, but "slow" is better than "never".  Similarly try
       toggling the net.inet.tcp.rfc1644 sysctl from 0 to 1 -- that
       enables or disables T/TCP

   ii) The TCP_DROP_SYNFIN kernel option (and the corresponding
       tcp_drop_synfin rc.conf variable) can cause problems,
       particularly with HTTP traffic.  As it says in LINT:

        #
        # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This
        # prevents nmap et al. from identifying the TCP/IP stack, but breaks support
        # for RFC1644 extensions and is not recommended for web servers.
        #
        options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN

  iii) Last, but probably most likely: if you're running IPFW or ipf
       using dynamic rules, it's possible that the dynamic rules have
       been set to time out too quickly during the shutdown phase of
       the connection, so the FIN packet from the client is getting
       filtered out.  Confirm that by turning off the firewall for
       testing (so long as you're on a protected private network) or
       add a static rule allowing all HTTP traffic between your server
       and your test machine.

Tools like tcpdump(1) and etherreal(1) are invaluable when trying to
debug this sort of networking problem: being able to inspeact exactly
what is passing over the wire helps you make sense of a lot of
puzzling failure modes.

Also read the tuning(7) man page for some more detail on what all
those sysctls and things really do, and when you might want to enabe
them.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040919/71b67fef/attachment.bin

More information about the freebsd-questions mailing list