On Mon, Aug 12, 2013 at 08:25:44PM +0000, Maximilian Herrmann wrote: > i`m currently having issues with my Varnish load balancers. For some users, > the access to our site is very slow, for others it isn`t reachable. > I`ve observed something strange at the dmesg-Logfile, it is saying "possible > SYN flooding on port 80. Sending cookies." about every 20 minutes. I don`t > think that this is a real SYN flood, as this is some very high traffic system. > The system is running at CentOS 6.3, we`re using Varnish 3.0.4 (from rpm).
>From what I gathered last time I looked into this for a customer, you need to increase netdev_max_backlog to avoid the synflood message in dmesg. You can see with netstat -s if your syncookies are in fact returned from the client, which hints on whether you are being synflooded or not. > We have optimized the following kernel parameters already: > /proc/sys/net/ipv4/tcp_tw_reuse (now set to 1) > /proc/sys/net/ipv4/tcp_tw_recycle (now set to 1) > /proc/sys/net/ipv4/tcp_fin_timeout (now set to 30) > /proc/sys/net/ipv4/tcp_keepalive_intvl (now set to 40) > /proc/sys/net/ipv4/tcp_keepalive_time (now set to 1800) > /proc/sys/net/ipv4/tcp_syn_retries (not set to 2) > /proc/sys/net/ipv4/tcp_synack_retries (now set to 2) > /proc/sys/net/ipv4/tcp_no_metrics_save (now set to 1) > /proc/sys/net/ipv4/tcp_rmem (now 4096 87380 16777216) > /proc/sys/net/core/wmem_max (now 16777216) > /proc/sys/net/core/rmem_max (now 16777216) > /proc/sys/net/ipv4/tcp_max_syn_backlog (now 4096) > /proc/sys/net/ipv4/tcp_max_syn_backlog (now 4096) > /proc/sys/net/core/netdev_max_backlog (now 5000) > /proc/sys/net/ipv4/ip_local_port_range (now 1024 65536) I'd recommend keeping TCP stack tuning to a minimum. tcp_tw_recycle is dangerous. Don't enable it. At least you should be sure you understand what each setting means before changing it. Please don't just copy something from a blog somewhere. -- With regards, Lasse Karstensen Varnish Software AS _______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
