Dropped connections with tcp_tw_recycle=1

Nils Goroll slink at schokola.de
Tue Sep 22 09:19:33 CEST 2009


Sven,

>>> tcp_tw_recycle is incompatible with NAT on the server side
>>
>> ... because it will enforce the verification of TCP time stamps.
>> Unless all clients behind a NAT (actually PAD/masquerading) device
>> use identical timestamps (within a certain range), most of them will
>> send invalid TCP timestamps so SYNs will get dropped.
> 
> I've been digging a bit more. [...]

Thank you very much for your writeup regarding tcp_tw_recycle and timestamp 
verification. This is the part which I think I had already understood ...

 > tcp_tw_recycle and _reuse's actual reuse of tw buckets seems to happen
 > when setting up outbound connections. I haven't looked at those yet.

... but this is the part which I don't have a good understanding of yet.

> The outer conditional verifies that the incoming SYN has a timestamp,
> that tcp_tw_recycle is enabled, and that the origin exists in our
> peer cache. Note that it only checks the IP of the origin. Doesn't it
> make sense to also match on port?

My understanding is that the fact that the connection is in TIME_WAIT implies 
that the source port should not be reused at this time.

Nils


More information about the varnish-misc mailing list