A tcp keepalive packet is sent over a tcp connection when there has not
been any traffic for the tcp keepalive interval a response from the host
involved indicates that it is still there - no reponse causes a packet to
be resent until there is a response or a limit is reached and then the
connection can be closed, so it only generates extra traffic if the
connection is idle, the RFC recommends? that this interval is 2 hours, but
people have set it as low as a few minutes on web servers ( to identify
hosts that have disconnected and so reclaim the connection). This setting
has been in the OS for a long time and was recognised as a way of
defeating firewall idle timeout periods ( by setting the keepalive
interval to be lower than the idle timeout period). The major drawback of
using this technique is that if you have a bad/busy network hosts
responses to the keepalive packets could be lost and then the OS will shut
the connection. Applications can be made aware of this and can treat the
lose of connection in an intelligent manner, though off hand I don't know
of any that do.
To summarize there is little extra network traffic generated, it holds
firewalls open but risks disconnecting live hosts due to network problems.
On Wed, 14 Sep 2005 13:06:46 -0400, Neild, Jim <Jim.Neild AT SSHA.ON DOT CA>
wrote:
>It just makes the box a little more chatty keeping sessions open on
>stateful inspection firewalls (i.e. checkpoint). Applications have to
>be able to use this parameter for it to be effective. If I remember
>correctly, NetWorker really started using this in 7.1 properly as I had
>a lot of issues resulting in a LGTpa which generated a patch. The
>NSR_KEEPALIVE_WAIT value functionality didn't actually work as described
>in the documentation prior to 7.1 (again, I believe it was 7.1), this
>patch resolved the problems. Anyway, this value tells NetWorker the
>number of seconds to wait between KEEPALIVE packets being sent.
>
>As per MS Article ID: 315669
>
>
>Value name: KeepAliveTime
>Key: Tcpip\Parameters
>Value Type: REG_DWORD-Time in milliseconds
>Valid Range: 1-0xFFFFFFFF
>Default: 7,200,000 (two hours)
>
>This value controls how often TCP attempts to verify that an idle
>connection is still intact by sending a keep-alive packet. If the remote
>computer is still reachable, it acknowledges the keep-alive packet.
>Keep-alive packets are not sent by default. You can use a program to
>configure this value on a connection. The recommended value setting is
>300,000 (5 minutes).
>
>-----Original Message-----
>From: Legato NetWorker discussion [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU]
>On Behalf Of Bart.Jespers AT FUJITSU-SIEMENS DOT COM
>Sent: September 13, 2005 3:46 AM
>To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
>Subject: Re: [Networker] NUL handshake - Firewall issue
>
>
>What does the setting do? can it harm other applications?
>
>HKEY_LOCAL_MACHINE\SYSTEM
>>> \CurrentControlSet\Services\Tcpip\Parameters\keepalivetime
>>> setting DWORD:DECIMAL 7200000 for servers that need it
>
>
>> On Mon, 12 Sep 2005 10:23:33 -0400, Stan Horwitz <stan AT TEMPLE DOT EDU>
>> wrote:
>>
>>
>>>
>>> Try setting NSR_KEEP_ALIVE to 15 instead of 30. The optimum setting
>>> depends on how your firewall is configured.
>>>
>>> On your Windows clients, you might also set HKEY_LOCAL_MACHINE\SYSTEM
>>> \CurrentControlSet\Services\Tcpip\Parameters\keepalivetime
>>> setting DWORD:DECIMAL 7200000 for servers that need it
>>>
>>>
>> Shouldn't that be 900000 to be equivalent to 15 minutes?
>
>It depends on your firewall. In most cases, we have not had to go
>that route at all on our servers, but a few have required it. This is
>what Legato tech support recommended for us when we had ongoing
>problems backing up and recovering data across a particular firewall.
>
>To sign off this list, send email to listserv AT listserv.temple DOT edu and
>type "signoff networker" in the
>body of the email. Please write to networker-request AT listserv.temple DOT edu
>if you have any problems
>wit this list. You can access the archives at
>http://listserv.temple.edu/archives/networker.html or
>via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
>
>To sign off this list, send email to listserv AT listserv.temple DOT edu and
>type "signoff networker" in the
>body of the email. Please write to networker-request AT listserv.temple DOT edu
>if you have any problems
>wit this list. You can access the archives at
>http://listserv.temple.edu/archives/networker.html or
>via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
>
>To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
>body of the email. Please write to networker-request AT listserv.temple DOT
>edu
if you have any problems
>wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
>via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
>=========================================================================
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
