Product: Xtradyne I-DBC

Version: ALL

Description:

Firewall Configuration – TCP Connection Timeouts

Resolution:

A common configuration of firewalls includes a timeout for TCP connection idle for longer than, say, an hour. This is intended to prevent dead connections from existing in the firewall state tables for extended periods.

TCP idle timeouts present a problem in DBC usage scenarios where connections are unused for longer than the timeout period. This happens because most ORBs do not timeout idle connections neither does the DBC
in its standard configuration.

Part 2 Installation Guide, Chapter 11 Troubleshooting
224 Domain Boundary Controller - Administrator’s Guide
When the connection is to be used again by the first person in the morning, for example, an application error will occur. To prevent this, there are several possibilities:

• Make the DBC Proxy timeout TCP connection itself. This will totally prevent idle TCP connections and is probably the best solution. Start the Admin Console, go to the “DBC Proxy” panel and configure the “GIOP idle connection timeout”.
• Reconfigure the firewall to not use TCP idle connection timeouts. This might not be an option due to security policy restrictions and is not recommended.
• A third option is to reconfigure the DBC Proxy (and probably the client ORB) to use TCP keep-alives. You can activate TCP keep-alives with the Admin Console. Every IIOP Listener has a details panel where the sending of TCP keep-alives can be activated. TCP keep-alives are usually sent every two hours on idle connections, so the TCP idle connection timeout on the firewall must be greater than two hours for this option to take effect. In addition, it is possible to change the TCP keep-alive interval on operating system level (how to do this, please see section below).

When none of the above options can be applied change the application to gracefully recover when getting a COMM_FAILURE exception on a remote call. Simply repeating the call a single time is the recommended procedure in this case.

Please make sure that the firewall, if it uses TCP idle connection timeouts, does never silently drop packets on timed out connections as this will lead to application hangs until the client side TCP times out, which can take several minutes. Meanwhile, the application will be not responding, seeming to have crashed.

Finding out and setting TCP keep-alive times

On Linux
Determine the TCP keep-alive time (in seconds) on your system, type:

cat /proc/sys/net/ipv4/tcp_keepalive_time

To set a different TCP keep-alive time (in seconds), type:

echo <sec> > /proc/sys/net/ipv4/tcp_keepalive_time

On Solaris
Determine the TCP keep-alive time (in milliseconds) on your system:

ndd /dev/tcp tcp_keepalive_interval

To change this value use ndd with the -set flag, e.g.:

ndd -set /dev/tcp tcp_keepalive_interval 1200000