[RPKI] Tcp keepalives
bc at skogen.nu
Mon Aug 30 18:21:33 UTC 2021
Yep, that’s the workaround I’ve deployed, more frequent refreshes and this helps since fw state info does not timeout.
I had a pretty long refresh time set before (1h) but since I have Routinator refresh timer setup 1h it doesn’t really matter if I decrease the RTR refresh timer.
From looking at the code it seems support for tcp keepalives was removed in 0.10.0 since it disappeared from tokio(?). And since it used the system default 75s rather the configured 60, it probably didn’t work in 0.8.2 either.
I would argue the default should be to use the system default setting rather than no keepalives, though.
> On 30 Aug 2021, at 19:42, Tony Tauber <ttauber at 1-4-5.net> wrote:
> In some early lab testing I did, I noticed that RTR sessions were often resetting every 10 minutes.
> The reason I discerned was there was an intervening firewall which must've had a 10 minute auto-flush of stale state info.
> Rather than trying to fight a losing battle with firewall folks (also with possible collateral effects), I found it easier to configure the client to refresh more often.
> For example, on Cisco IOS-XR, the "refresh-time 300" parameter (5-minute refresh) helped my situation.
> I haven't yet gotten Routinator v0.10.0 deployed so not sure about what we're seeing, but architecturally maybe it's weird for the server (vs. client) to send the keepalives?
> On Fri, Aug 27, 2021 at 4:19 PM Björn Karlsson via RPKI <rpki at lists.nlnetlabs.nl <mailto:rpki at lists.nlnetlabs.nl>> wrote:
> Did something change with the handling of tcp keepalives between version 0.8.2 and 0.10.0?
> I recently upgraded one of two servers to 0.10.0 and after the upgrade I don’t see keepalives which I do from the 0.8.2 server (and previously, before the upgrade, from the upgraded server).
> Same configuration for both servers, default:
> rtr-tcp-keepalive = 60
> When I check with tcpdump there are no keepalives from the 0.10.0 server but roughly 75s (system default) from the 0.8.2 version. Also, doing a show tcp packet-trace on the Cisco shows the same.
> I’m trying to debug a problem where the session to the 0.10.0 server is reset roughly once per hour (which is the refresh time). Since the session is through a firewall I suspect I need the keepalives..
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl <mailto:RPKI at lists.nlnetlabs.nl>
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki <https://lists.nlnetlabs.nl/mailman/listinfo/rpki>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the RPKI