Coping with the TCP TIME-WAIT state on busy Linux servers
RFC 793 requires the TIME-WAIT state to last twice the time of the MSL. On Linux, this duration is not tunable and is defined in include/net/tcp.h as one minute:#define TCP_TIMEWAIT_LEN (60*HZ) /* how long to wait to destroy TIME-WAIT * state, about 60 seconds */
Lower the conntrack tracking time for TIME_WAIT connections
TCP connections in
TIME_WAITare maintained for sixty seconds by the Linux kernel.
Note: There’s many misleading Google hits indicating that this is configurable through the sysctl value
net.ipv4.tcp_fin_timeoutbut after some digging that turned out to be bogus. It’s a constant defined in the Linux lernel in include
nf_conntracktracks these for 120 seconds by default (configurable through the sysctl value
nf_conntrack_tcp_timeout_time_wait) Reduce this to 65 (the maximum time used by the kernel plus a five seconds error margin).