15000/min is 250 connections per second... Well within reason for any normal system.
Some things you can play with from a tcp tuning perspective are:
net.ipv4.tcp_max_syn_backlog=10000
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_max_tw_buckets=250000
net.ipv4.tcp_fin_timeout=30
More details on them.
http://www.speedguide.net/articles/linux-tweaking-121
James S. Binder
Vice President, Engineering
Cyphort Inc.
250 Middlefield Road
Menlo Park, CA 94025
jbinder_at_cyphort.com
www.cyphort.com
408.761.1403 (cell)
This information contained in this e-mail message and any attachments thereto, is intended only for the personal and confidential use of the recipient(s) named above. This message may be under the terms of a Mutual Non-Disclosure Agreement communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify use immediately by e-mail and delete this original message.
On Apr 23, 2011, at 9:53 AM, Hasanen AL-Bana wrote:
> Yeah but what to do when you have a very loaded squid server with more
> than 15000 req/min ...you will notice in /var/log/messages that kernel
> is sending syn cookies and slowing down requests coming to port 3128 !
>
> On Sat, Apr 23, 2011 at 7:51 PM, Jim Binder <jbinder_at_cyphort.com> wrote:
>> syn cookies are a feature of the tcp stack to delay setting up full tcp state to avoid resource starvation and to avoid syn floods (lots of syns never completed freezing out good new connections.)
>>
>> James S. Binder
>>
>> 408.761.1403 (cell)
>>
>>
>>
>>
>> On Apr 23, 2011, at 9:02 AM, Marcus Kool <marcus.kool_at_urlfilterdb.com> wrote:
>>
>>> When a TCP connection is established, TCP SYN packets are exchanged.
>>> Blocking SYN packets is the same as blocking all TCP traffic.
>>>
>>>
>>> Andreas Braathen wrote:
>>>> I tried it, but it did not change anything. Squid still sends SYN packets to establish state with destination.
>>>> Any other suggestions?
>>>>> edit /etc/sysctl.conf
>>>>> change net.ipv4.tcp_syncookies=1 to net.ipv4.tcp_syncookies=0 and
>>>>> reboot. dont forget to remove the # from the beginning of the line.
>>>>>
>>>>> On Sat, Apr 23, 2011 at 5:39 PM, Andreas Braathen
>>>>> <andreas.braathen_at_andtux.net> wrote:
>>>>>> Squid is sending SYN packets to destination when receiving GET request from internals hosts. I want Squid to forward the GET request. How is this possible?
>>>>>>
>>
Received on Sat Apr 23 2011 - 17:29:52 MDT
This archive was generated by hypermail 2.2.0 : Sat Apr 23 2011 - 12:00:04 MDT