(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version

Keep in touch (tcp keepalives etc.)

February 2006

You can't please everyone, so you got to please yourself..(Ricky Nelson)

I don't imagine Ricky Nelson was thinking about tcp timeouts and keepalives in the 70's, and probably isn't still, but the subject comes up fairly often for me and never fails to be annoying.

Annoying? OK, maybe confusing is the better choice. This is one of those areas where the cure can be worse than the disease and where discussions by tcp programmers can get acrid and heated. The biggest problem is that users often really don't know what they want, and if they do know, it probably shouldn't have anything to do with the tcp stack, but next thing you know somebody is changing kernel level values, and probably not getting the results they expected.

Typically it starts on one side or the other of the basic question, which is "when should a connection to another machine be dropped?". The other side has gone away, lost its mind (or at least its network connection) or maybe some router in between the two of you is misbehaving. Whatever. Packets that should be flowing between you and X are not, and you want something done about it now. It is absolutely critical that you be aware of this connection problem immediately so that you can take action to fix it. That's one side. The other side is that you got disconnected from machine X because there was some stupid momentary glitch and that's not what you want to happen: it's critical that your process remain connected so that it doesn't have to restart processing whatever data it was chewing on.

Ricky should sing the chorus now.

So what is poor tcp to do? Break the connection at the first sign of trouble or hang in there waiting for it to come back? Most TCP implementations have "keepalives": (from http://www.ietf.org/rfc/rfc1122.txt)

            Implementors MAY include "keep-alives" in their TCP
            implementations, although this practice is not universally
            accepted.  If keep-alives are included, the application MUST
            be able to turn them on or off for each TCP connection, and
            they MUST default to off.

            Keep-alive packets MUST only be sent when no data or
            acknowledgement packets have been received for the
            connection within an interval.  This interval MUST be
            configurable and MUST default to no less than two hours.

So, if we look in /proc/sys/net/ipv4 on a recent Linux box, we'll find three items related to this:

$ ls -l *keep*
-rw-r--r--    1 root     root            0 Feb  8 07:04 tcp_keepalive_intvl
-rw-r--r--    1 root     root            0 Feb  8 07:04 tcp_keepalive_probes
-rw-r--r--    1 root     root            0 Feb  8 07:04 tcp_keepalive_time
$ cat *keep*
75
9
7200

That says wait 7200 seconds before sending a keepalive probe, then send up to 9 at 75 second intervals. Add that all up and it's 2 hours, 11 minutes and 15 seconds before tcp decides the connection is dead.

Depending upon what you had in mind, that may be far too long or far too short. If I put my Mac to sleep for half an hour while I have lunch, I don't want my ssh connnection dropped. On the other hand, if I have an application that needs fresh data from that server every fifteen minutes, I don't want to wait two hours to find out I have a problem.

Ricky? Could we have that chorus one more time?

While you can easily muck with tcp's idea of proper values for these keepalive parameters, the reality is that these are application problems, and the applications should deal with them. Each application has its own needs, and should set its own criteria.

How much control you have varies. The Linux telnet daemon normally does keepalives, but can be told not to by adding "-n" to its startup parameters:

$ cat /etc/xinetd.d/*telnet*
# default: off
# description: The kerberized telnet server accepts normal telnet sessions, \
#              but can also use Kerberos 5 authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream        
        wait            = no
        user            = root
        server          = /usr/kerberos/sbin/telnetd
        server_args     = -n
        log_on_failure  += USERID
}

SCO's telnet daemon has much more control than just on or off: (from http://docsrv.sco.com:507/en/man/html.ADMN/telnetd.ADMN.html)

Transport-level keepalive messages are enabled unless the -n option
is present. The use of keepalive messages allows sessions to be
timed out if the client crashes or becomes unreachable.

If keepalives are being used, several parameters may be controlled
using the following options:


-k n
    The argument n specifies the time (in seconds) that a connection
    must be idle before the first keepalive probe will be sent.

-K n
    The argument n specifies the interval (in seconds) between
    keepalive probes if no response is received.

-N n
    The argument n specifies the number of unanswered keepalive
    probes that will be sent prior to dropping the connection.

That's handy. Sshd can turn keepalives on or off in its sshd_config file, but what's often forgotten is that the client is permitted to set its own behavior through ssh_config or at invocation:

ssh  -o TCPKeepAlive=no foo.foo.com

SSH2 also has an encrypted form of keepalives that go through the tunnel: (from man ssh_config)

     ServerAliveInterval
             Sets a timeout interval in seconds after which if no data has
             been received from the server, ssh will send a message through
             the encrypted channel to request a response from the server.  The
             default is 0, indicating that these messages will not be sent to
             the server.  This option applies to protocol version 2 only.

     ServerAliveCountMax
             Sets the number of server alive messages (see above) which may be
             sent without ssh receiving any messages back from the server.  If
             this threshold is reached while server alive messages are being
             sent, ssh will disconnect from the server, terminating the ses-
             sion.  It is important to note that the use of server alive mes-
             sages is very different from TCPKeepAlive (below).  The server
             alive messages are sent through the encrypted channel and there-
             fore will not be spoofable.  The TCP keepalive option enabled by
             TCPKeepAlive is spoofable.  The server alive mechanism is valu-
             able when the client or server depend on knowing when a connec-
             tion has become inactive.

             The default value is 3.  If, for example, ServerAliveInterval
             (above) is set to 15, and ServerAliveCountMax is left at the
             default, if the server becomes unresponsive ssh will disconnect
             after approximately 45 seconds.

Let's try that:

$ date;ssh  -o TCPKeepAlive=no -o ServerAliveInterval=15 tony@foo;date
Wed Feb  8 07:48:53 EST 2006
(unplug network cable here)
[tony@foo tony]$ Disconnecting: Timeout, server not responding.
Wed Feb  8 07:50:12 EST 2006
$

Pretty close. But it's seldom so easy or definite. When you combine system level timouts with application level mechanisms, and both the client and the server are doimg their own thing, determining when and how a session will time out can become very confusing, and getting the precise behavior you want can be frustrating if you don't have control over both sides of the application.

Click here to add your comments

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Why no "Digg this!" etc.?

Take Control of Sharing Files in Snow Leopard

Take Control of Exploring & Customizing Snow Leopard

Printer Friendly Version

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

Printer Friendly Version

book graphic unix and linux troubleshooting guide

My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!

I sell and support
Kerio Mail server

More:

- Networking

Unix/Linux Consultants

Skills Tests

Guest Post Here

My Favorites