2

Could you please advise what's this 'expire' time in the connections table:

# ipvsadm -lnc | head
IPVS connection entries
pro expire state       source             virtual            destination
TCP 07:17  ESTABLISHED CLIENT_IP:54799 VIP:443   REAL_SERVER_IP:443

I'm using Red Hat load balancer (DR with firewall marks, no persistence connections) and according to docs the default value for TCP, TCP FIN and UDP time-out is 0 however it looks like this expiry time is 15 minutes and there is many active connections - is it related to --set parameters?

# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  80 wlc
  -> REAL_SERVER_1:80               Route   1      402        0         
  -> REAL_SERVER_2:80              Route   1      404        1         
  -> REAL_SERVER_3:80              Route   1      406        0         
FWM  443 wlc
  -> REAL_SERVER_1:443              Route   1      2214       0         
  -> REAL_SERVER_2:443             Route   1      2215       3         
  -> REAL_SERVER_3:443             Route   1      2214       1
HTF
  • 3,148
  • 14
  • 52
  • 82

1 Answers1

4

The timeouts from the command you listed can be adjusted with the --set command. You can retrieve the current values that are set with ipvsadm -l --timeout:

root@lb1:~# ipvsadm -l --timeout
Timeout (tcp tcpfin udp): 900 120 300

I don't have Red Hat Load Balancer running to test this myself but I suspect that the TCP timeout value will be perhaps 900 as well.

From reading the docs I don't think a timeout value of 0 actually means instant timeout. It seems like when --set is used and a value of 0 given it means no change 1. If the timeout value is exceptionally low you will run into issues with connections.

Tombart
  • 2,143
  • 3
  • 27
  • 48
gbe0
  • 365
  • 1
  • 4
  • Thanks for your reply. You're right the value is 900. Could you please elaborate more on issue with connections with the low timeout value? – HTF Dec 13 '13 at 22:27
  • 1
    If you have a very low time out the load balancer may end up killing open connections when it shouldn't. An example provided [here](http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.services.general.html#tcpip_idle_timeout) is telnet, if the load balancer closes the existing connection it would be quite annoying. For HTTP and HTTPS it isn't as much of a problem. The defaults should be fine for a reasonably large install, are you running into problems currently? – gbe0 Dec 14 '13 at 16:10
  • Thanks, I'm just trying to understand this :) so time-outs on the load balancer are just 'internal' and they are not related to time-outs on the real servers? I saw exiting connections on the load balancer but they weren't available on the real server any-more. – HTF Dec 14 '13 at 19:19
  • 1
    The connections that you can see and change with ipvsadm are used to that the connection doesn't break between the load balancer and the real server. If you have two servers in the pool and the session on the load balancer times out after 1 second and I am using telnet, if I do nothing for a couple of seconds and then run a command the connection may appear on a different backend server and I will get disconnected. The connection may still be valid on the real backend server (as it wasn't closed) but that is assuming ipvs doesn't close the connection when it has a low timeout set. – gbe0 Dec 15 '13 at 04:51
  • From `ipvsadm` man values are for `TCP sessions, TCP sessions after a FIN, and UDP packets, respectively. A timeout value 0 means that the current timeout value of the corresponding entry is preserved.` – Antonio Bardazzi Nov 14 '16 at 16:20