Timeout Values for Connection Tracking Records | Linux Enterprise Cluster: Build a Highly Available Cluster with Commodity Hardware and Free Software

When network communication between a client computer and a real server (cluster node) is no longer active, the timeout value for a connection tracking record is set to expire using a timeout value in the connection tracking record. In other words, for services like telnet that use the TCP protocol, the Director will hold the connection tracking record in memory as long as the TCP connection is in an ESTABLISHED state and packets are received from the client computer; when the TCP connection drops, the connection tracking record timeout value is set so the record will eventually be removed from the connection tracking table.

LVS also uses a larger connection tracking timeout value for all connection tracking records in the hash table so that it can remove connections that remain unused for a long period of time.

Note

The kernel also has TCP session timeout values, but they are much larger than the values imposed by LVS. For example, the ESTABLISHED TCP connection timeout value is five days in the 2.4 kernel. See the kernel source code file ip_conntrack_proto_tcp.c for a complete list and the default values used by the kernel.

LVS has three important timeout values for expiring connection tracking records:

A timeout value for idle TCP sessions.
A timeout value for TCP sessions after the client computer has closed the connection (a FIN packet was received from the client computer).^[7]
A timeout value for UDP packets. Because UDP is a connectionless protocol, the LVS Director expires UDP connection tracking records if another packet from the client computer is not received within an arbitrary timeout period.

Note

To see the default values for these timers on a 2.4 series kernel, look at the contents of the timeout_* files in the /proc/sys/net/ipv4/vs/ directory.^[8] As of this writing, these values are not implemented in the 2.6 kernel, but they will be replaced with setsockopt controls under ipvsadm's control. See the latest version of the ipvsadm man page for details.

These three timeout values can be modified by specifying the number of seconds to use for each timer using the --set argument of the ipvsadm command. All three values must be specified when you use the --set argument, so the command:

 #ipvsadm --set 28800 30 36000

sets the connection tracking record timeout values to: 8 hours for established but idle TCP sessions, 30 seconds for TCP sessions after a FIN packet is received, and 10 minutes for each UDP packet.^[9]

To implement these timeouts, LVS uses two tables: a connection timeout table called the ip_vs_timeout_table and connection state table called tcp_states. When you use ipvsadm to modify timeout values as shown in the previous example, the changes are applied to all current and future connections tracked by LVS inside the Director's kernel using these two tables.

Note

If you set /proc/sys/net/ipv4/vs/secure_tcp to a nonzero value, LVS uses a different pair of tables to implement timeouts called vs_timeout_table_dos and vs_tcp_states_dos. You must, therefore, reissue the ipvsadm command to set timeout values whenever you enable or disable secure_tcp.

We will discuss another timer that the Director uses to return a client computer's request for service to the same real server, called the persistence timeout, shortly. But first, let's look at how the Director handles packets going in the other direction: from the cluster node to the client computer.

^[7]For a discussion of TCP states and the FIN packet, see RFC 793.

^[8]The values in this directory are only used on 2.4 kernels and only if the /proc/sys/net/ipv4/vs/ secure_tcp is nonzero. Additional timers and variables that you find in this directory are documented on the sysctrl page at the LVS website (currently at http://www.linuxvirtualserver.org/docs/sysctl.html). These sysctrl variables are normally only modified to improve security when building a public web cluster susceptible to a DoS attack.

^[9]A value of 0 indicates that the default value should be used (it does not represent infinity).