2

I'm attempting to reduce the amount of time a connection is in the TIME_WAIT state by setting tcp_fin_timeout detailed here:

root:~# sysctl -w net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_fin_timeout = 30

However, this setting does not appear to affect anything. When I look at the netstat of the machine, the connections still wait the default 60s:

root:~# watch netstat -nato
tcp        0      0 127.0.0.1:34185         127.0.0.1:11209         TIME_WAIT   timewait (59.14/0/0)
tcp        0      0 127.0.0.1:34190         127.0.0.1:11209         TIME_WAIT   timewait (59.14/0/0)

Is there something I'm missing? The machine is running Ubuntu 14.04.1.

SMuz
  • 35
  • 1
  • 1
  • 5

1 Answers1

6

Your link is urban myth. The actual function of net.ipv4.tcp_fin_timeout is as follows:

This specifies how many seconds to wait for a final FIN packet before the socket is forcibly closed. This is strictly a violation of the TCP specification, but required to prevent denial-of-service attacks. In Linux 2.2, the default value was 180.

This doesn't have anything to do with TIME_WAIT. It establishes a timeout for a socket in FIN_WAIT_1, after which the connection is reset (which bypasses TIME_WAIT altogether). This is a DOS measure, as stated, and should never arise in a correctly written client-server application. You don't want to set it so low that ordinary connections are reset: you will lose data. You don't want to fiddle with it at all, actually.

The correct way to reduce TIME_WAIT states is given here.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • 1
    How does one find the value for TIME_WAIT that's currently being used? I couldn't find the info on the linked answer. Thanks. – flow2k May 23 '18 at 22:39
  • It is 2*MSL. which is either 2 or 4 minutes, I foget which. Some OS's may provide a way to tune it, but doing so is not the answer. Reversing who gets into the state is the answer. – user207421 Apr 03 '22 at 06:44