TCP Active open, Passive open, Active close, Passive close
**********************************************************************************
Disclaimer: The information shared on this blog is for general informational purposes only and reflects personal views or experiences in technology. While I strive for accuracy, I cannot guarantee that all content is current or error-free. I am not liable for any loss or damage resulting from the use of this information. Please verify independently before acting on any advice.
**********************************************************************
The parameter: tcp_max_syn_backlog is used to decide how many passive open connections a socket can have, before further connection requests are dropped.
Passive open is established via the listen() syscall and usually has a backlog parameter.
How this queue of incoming connection requests are maintained is a matter of library and kernel implementation.
Because of the 3-way handshake used by TCP, an incoming connection goes through an intermediate state SYN RECEIVED before it reaches the ESTABLISHED state and can be returned by the
Note that Stevens actually explains that the BSD implementation does use two separate queues, but they behave as a single queue with a fixed maximum size determined by (but not necessary exactly equal to) the
The interesting question is now how such an implementation behaves if the accept queue is full and a connection needs to be moved from the SYN queue to the accept queue, i.e. when the ACK packet of the 3-way handshake is received. This case is handled by the
To summarize, if the TCP implementation in Linux receives the ACK packet of the 3-way handshake and the accept queue is full, it will basically ignore that packet. At first, this sounds strange, but remember that there is a timer associated with the SYN RECEIVED state: if the ACK packet is not received (or if it is ignored, as in the case considered here), then the TCP implementation will resend the SYN/ACK packet (with a certain number of retries specified by /proc/sys/net/ipv4/tcp_synack_retries and using an exponential backoff algorithm).
Since the TCP implementation on the client side gets multiple SYN/ACK packets, it will assume that the ACK packet was lost and resend it (see the lines with
The packet trace also shows another interesting aspect of this behavior. From the point of view of the client, the connection will be in state ESTABLISHED after reception of the first SYN/ACK. If it sends data (without waiting for data from the server first), then that data will be retransmitted as well. Fortunately TCP slow-start should limit the number of segments sent during this phase.
On the other hand, if the client first waits for data from the server and the server never reduces the backlog, then the end result is that on the client side, the connection is in state ESTABLISHED, while on the server side, the connection is considered CLOSED. This means that we end up with a half-open connection!
There is one other aspect that we didn’t discuss yet. The quote from the
/* Accept backlog is full. If we have already queued enough * of warm entries in syn queue, drop request. It is better than * clogging syn queue with openreqs with exponentially increasing * timeout. */
What this means is that if the accept queue is full, then the kernel will impose a limit on the rate at which SYN packets are accepted. If too many SYN packets are received, some of them will be dropped. In this case, it is up to the client to retry sending the SYN packet and we end up with the same behavior as in BSD derived implementations.
To conclude, let’s try to see why the design choice made by Linux would be superior to the traditional BSD implementation. Stevens makes the following interesting point:
ACTIVE CLOSE:
As You can see The side that does an Active Close is the one sending the FIN packet.
It immediately goes into the FIN_WAIT1 state, where it is waiting for the ACK from the peer.
After receiving an ACK, it moves to the FIN_WAIT2 state where it is expecting a FIN from a similar active close by the peer. It then sends an ACK to the peer and moves to TIME_WAIT state.
Both the peers enter the TIME-WAIT state, which is basically a fail safe for future connections to not accept packets from a previous connection still floating in the network.
The peer doing a passive close enters a CLOSE_WAIT state before going to a active close. When you write a program communicating over TCP, you should detect when the connection was closed by the remote host and close the socket appropriately. If you fail to do this the socket will stay in the CLOSE_WAIT until the process itself disappears.
CLOSE_WAIT means the operating system knows that the remote application has closed the connection and waits for the local application to also do so. So you shouldn’t try and tune the TCP parameters to solve this but check the application owning the connection on the local host. Since there is no CLOSE_WAIT timeout, a connection can stay in this state forever (or at least until the program does eventually close the connection or the process exists or is killed).
If you cannot fix the application or have it fixed, the solution is to kill the process holding the connection open. Of course, there is still a risk of losing data since the local end-point may still send data it has in a buffer. Also, if many applications run in the same process (as it is the case for Java Enterprise applications), killing the owning process is not always an option.
I haven’t ever tried to force closing of a CLOSE_WAIT connection using tcpkill, killcx or cutter but if you can’t kill or restart the process holding the connection, it might be an option.
Disclaimer: The information shared on this blog is for general informational purposes only and reflects personal views or experiences in technology. While I strive for accuracy, I cannot guarantee that all content is current or error-free. I am not liable for any loss or damage resulting from the use of this information. Please verify independently before acting on any advice.
**********************************************************************
The parameter: tcp_max_syn_backlog is used to decide how many passive open connections a socket can have, before further connection requests are dropped.
Passive open is established via the listen() syscall and usually has a backlog parameter.
The backlog argument defines the maximum length to which the queue of
pending connections for sockfd may grow. If a connection request
arrives when the queue is full, the client may receive an error with
an indication of ECONNREFUSED or, if the underlying protocol supports
retransmission, the request may be ignored so that a later reattempt
at connection succeeds.
How this queue of incoming connection requests are maintained is a matter of library and kernel implementation.
Because of the 3-way handshake used by TCP, an incoming connection goes through an intermediate state SYN RECEIVED before it reaches the ESTABLISHED state and can be returned by the
accept syscall
to the application (see the part of the TCP state diagram reproduced above). This
means that a TCP/IP stack has two options to implement the backlog queue for a socket in LISTEN state:
-
The implementation uses a single queue, the size of which is determined by the
backlogargument of thelistensyscall. When a SYN packet is received, it sends back a SYN/ACK packet and adds the connection to the queue. When the corresponding ACK is received, the connection changes its state to ESTABLISHED and becomes eligible for handover to the application. This means that the queue can contain connections in two different state: SYN RECEIVED and ESTABLISHED. Only connections in the latter state can be returned to the application by theacceptsyscall.
-
The implementation uses two queues, a SYN queue (or incomplete connection queue) and an accept queue (or complete
connection queue). Connections in state SYN RECEIVED are added to the SYN queue and later moved to the accept queue when
their state changes to ESTABLISHED, i.e. when the ACK packet in the 3-way handshake is received. As the name implies, the
acceptcall is then implemented simply to consume connections from the accept queue. In this case, thebacklogargument of thelistensyscall determines the size of the accept queue.
listen Backlog Queue in W. Richard Stevens’ classic textbook TCP/IP Illustrated, Volume 3.Note that Stevens actually explains that the BSD implementation does use two separate queues, but they behave as a single queue with a fixed maximum size determined by (but not necessary exactly equal to) the
backlog argument, i.e. BSD
logically behaves as described in option 1:The queue limit applies to the sum of […] the number of entries on the incomplete connection queue […] and […] the number of entries on the completed connection queue […].On Linux, things are different, as mentioned in the man page of the
listen syscall:The behavior of theThis means that current Linux versions use the second option with two distinct queues: a SYN queue with a size specified by a system wide setting and an accept queue with a size specified by the application.backlogargument on TCP sockets changed with Linux 2.2. Now it specifies the queue length for completely established sockets waiting to be accepted, instead of the number of incomplete connection requests. The maximum length of the queue for incomplete sockets can be set using/proc/sys/net/ipv4/tcp_max_syn_backlog.
The interesting question is now how such an implementation behaves if the accept queue is full and a connection needs to be moved from the SYN queue to the accept queue, i.e. when the ACK packet of the 3-way handshake is received. This case is handled by the
tcp_check_req function in net/ipv4/tcp_minisocks.c. The relevant code reads:To summarize, if the TCP implementation in Linux receives the ACK packet of the 3-way handshake and the accept queue is full, it will basically ignore that packet. At first, this sounds strange, but remember that there is a timer associated with the SYN RECEIVED state: if the ACK packet is not received (or if it is ignored, as in the case considered here), then the TCP implementation will resend the SYN/ACK packet (with a certain number of retries specified by /proc/sys/net/ipv4/tcp_synack_retries and using an exponential backoff algorithm).
Since the TCP implementation on the client side gets multiple SYN/ACK packets, it will assume that the ACK packet was lost and resend it (see the lines with
TCP Dup ACK in the above trace). If the application on the server side reduces
the backlog (i.e. consumes an entry from the accept queue) before the maximum number of SYN/ACK retries has been reached,
then the TCP implementation will eventually process one of the duplicate ACKs, transition the state of the connection from
SYN RECEIVED to ESTABLISHED and add it to the accept queue. Otherwise, the client will eventually get a RST packet (as in
the sample shown above).The packet trace also shows another interesting aspect of this behavior. From the point of view of the client, the connection will be in state ESTABLISHED after reception of the first SYN/ACK. If it sends data (without waiting for data from the server first), then that data will be retransmitted as well. Fortunately TCP slow-start should limit the number of segments sent during this phase.
On the other hand, if the client first waits for data from the server and the server never reduces the backlog, then the end result is that on the client side, the connection is in state ESTABLISHED, while on the server side, the connection is considered CLOSED. This means that we end up with a half-open connection!
There is one other aspect that we didn’t discuss yet. The quote from the
listen man page suggests that every SYN packet
would result in the addition of a connection to the SYN queue (unless that queue is full). That is not exactly how things work.
The reason is the following code in the tcp_v4_conn_request function (which does the processing of SYN packets) in
net/ipv4/tcp_ipv4.c/* Accept backlog is full. If we have already queued enough * of warm entries in syn queue, drop request. It is better than * clogging syn queue with openreqs with exponentially increasing * timeout. */
What this means is that if the accept queue is full, then the kernel will impose a limit on the rate at which SYN packets are accepted. If too many SYN packets are received, some of them will be dropped. In this case, it is up to the client to retry sending the SYN packet and we end up with the same behavior as in BSD derived implementations.
To conclude, let’s try to see why the design choice made by Linux would be superior to the traditional BSD implementation. Stevens makes the following interesting point:
The backlog can be reached if the completed connection queue fills (i.e., the server process or the server host is so busy that the process cannot callacceptfast enough to take the completed entries off the queue) or if the incomplete connection queue fills. The latter is the problem that HTTP servers face, when the round-trip time between the client and server is long, compared to the arrival rate of new connection requests, because a new SYN occupies an entry on this queue for one round-trip time. […]
The completed connection queue is almost always empty because when an entry is placed on this queue, the server’s call toacceptreturns, and the server takes the completed connection off the queue.
The solution suggested by Stevens is simply to increase the backlog. The problem with this is that it assumes that an
application is expected to tune the backlog not only taking into account how it intents to process newly established incoming
connections, but also in function of traffic characteristics such as the round-trip time. The implementation in Linux
effectively separates these two concerns: the application is only responsible for tuning the backlog such that it can call
accept fast enough to avoid filling the accept queue); a system administrator can then tune
/proc/sys/net/ipv4/tcp_max_syn_backlog based on traffic characteristics.ACTIVE CLOSE:
As You can see The side that does an Active Close is the one sending the FIN packet.
It immediately goes into the FIN_WAIT1 state, where it is waiting for the ACK from the peer.
After receiving an ACK, it moves to the FIN_WAIT2 state where it is expecting a FIN from a similar active close by the peer. It then sends an ACK to the peer and moves to TIME_WAIT state.
Both the peers enter the TIME-WAIT state, which is basically a fail safe for future connections to not accept packets from a previous connection still floating in the network.
The peer doing a passive close enters a CLOSE_WAIT state before going to a active close. When you write a program communicating over TCP, you should detect when the connection was closed by the remote host and close the socket appropriately. If you fail to do this the socket will stay in the CLOSE_WAIT until the process itself disappears.
CLOSE_WAIT means the operating system knows that the remote application has closed the connection and waits for the local application to also do so. So you shouldn’t try and tune the TCP parameters to solve this but check the application owning the connection on the local host. Since there is no CLOSE_WAIT timeout, a connection can stay in this state forever (or at least until the program does eventually close the connection or the process exists or is killed).
If you cannot fix the application or have it fixed, the solution is to kill the process holding the connection open. Of course, there is still a risk of losing data since the local end-point may still send data it has in a buffer. Also, if many applications run in the same process (as it is the case for Java Enterprise applications), killing the owning process is not always an option.
I haven’t ever tried to force closing of a CLOSE_WAIT connection using tcpkill, killcx or cutter but if you can’t kill or restart the process holding the connection, it might be an option.