Product Documentation

Frequently Asked Questions

Mar 14, 2017

Timeouts

Important

Before using *any nsapimgr* knob, consult with Citrix Customer Support.

The following is a list of different idle connection timeouts that can be set on NetScaler T1 virtual servers and services. Idle timeout set for client or server connections at the vserver or service level are applicable only for the connections in TCP ESTABLISHED state and are idle.

  • Load Balancing virtual server cltTimeout parameter specifies the time in seconds that a connection from a client to a Load Balancing virtual server must be idle, before the appliance closes the connection.
  • Service svrTimeout parameter specifies the time in seconds that a connection from the appliance to a service or server must be idle, before the appliance closes the connection.
  • Service cltTimeout parameter specifies the time in seconds that a connection from a client to a service must be idle, before the appliance closes the connection.

When a service is bound to a Load Balancing virtual server, then the cltTimeout for the Load Balancing virtual server takes precedence, and the service cltTimeout for service is ignored.

In case of there is not service bound to Load Balancing virtual server, global idle timeout, namely tcpServer, is used for server side connections. It can be configured as follows:

 
> set ns timeout -tcpServer 9000
 

Connections in other state have different timeout values:

  • Half open connections idle timeout: 120 seconds (hardcoded value)
  • TIME_WAIT connections idle timeout: 40 seconds (hardcoded value)
  •  Half close connections idle timeout. By default it is 10s and can be configured between 1s and 600s using the snippet
 
> set ns timeout -halfclose 10
 

When half-close timeout is triggered, connection is moved to zombie state. When zombie timeout expires, zombie cleanup kicks in and T1 sends RST on both client and server side for given connection by default. In some cases, this could re-activate inactive client PDP contexts and insert overhead in Radio Access Network of provider. In order to suppress this behavior when necessary, a knob is available to silently drop the termination of half closed and/or established connections on client side. To make this change permanent even after the NetScaler appliance restarts, include the below commands in the “/nsconfig/rc.netscaler” file..

> shell

#nsapimgr_wr.sh -ys tcp_hc_zombie_silent_drop=1

#nsapimgr_wr.sh -ys tcp_est_zombie_silent_drop =1
  • Zombie timeout: Interval at which the zombie cleanup process must run to clean up inactive TCP connections. Default timeout value is 120s and can be configured between 1s and 600s. 
 
> set ns timeout -zombie 120
 

Maximum Segment Size Table

A NetScaler T1 appliance defends against SYN flood attacks by using SYN cookies instead of maintaining half-open connections on the system memory stack. The appliance sends a cookie to each client that requests a TCP connection, but it does not maintain the states of half-open connections. Instead, the appliance allocates system memory for a connection only upon receiving the final ACK packet, or, for HTTP traffic, upon receiving an HTTP request. This prevents SYN attacks and allows normal TCP communications with legitimate clients to continue uninterrupted. Specific function is enabled by default without option to disable.

However, there is caveat as standard SYN cookies limit connections to the use of only eight Maximum Segment Size (MSS) values. If connection MMS does not match with any predefined value, it picks up the next available lower value towards both client and server side.

For 11.0 64.x series Telco builds, the predefined TCP Maximum Segment Size (MSS) values are the following:

               
1460 1440 1330 1212 956 536 384 128

For builds up to 11.1 51.26, the predefined TCP MSS values are the following:

               
1460 1440 1360 1220 956 536 384 128

For build 11.1 52.13 or later, the predefined TCP Maximum Segment Size (MSS) values are the following and can be configured through a new nsapimgr knob:

               
1460 1440 1330 1220 956 536 384 128

The new MSS table:

  • Need not contain Jumbo-Frame support. Even though by default 8 values are reserved in the MSS table for jumbo frames, the table settings can be modified to include standard Ethernet-sized frames only.
  • Should have 16 values
  • Should have values in descending order
  • Should include 128 as the last value

If the new MSS table is valid, the table is stored and the old values are switched out at the SYN-cookie rotation time. Otherwise the new table returns an error. Changes are applied to new connections while existing connections preserve the old MSS table until the connections expire or are terminated.

To display the current mss table in a NetScaler appliance, type the following command.

>shell
#nsapimgr -d mss_table

#nsapimgr -d mss_table
MSS table
{9176,9156,8192,7168,6144,4196,3072,2048,1460,1440,1330,1212,956,536,384,128}
Done.

To change the mss table, type the following command:

>shell
#nsapimgr -s mss_table=<16 comma seperated values>
 

#nsapimgr -ys mss_table=9176,9156,8192,7168,6144,4196,3072,2048,1460,1400,1330,1212,956,536,384,128
# nsapimgr -d mss_table
MSS table
{9176,9156,8192,7168,6144,4196,3072,2048,1460,1400,1330,1212,956,536,384,128}
Done.

An example using standard Ethernet-sized values is depicted  below:

#nsapimgr -ys mss_table=1460,1440,1420,1400,1380,1360,1340,1320,1300,1280,1260,1212,956,536,384,128
# nsapimgr -d mss_table
MSS table
{1460,1440,1420,1400,1380,1360,1340,1320,1300,1280,1260,1212,956,536,384,128}
Done.

To make this change permanent even after the NetScaler appliance restarts, include the command “#nsapimgr -ys mss_table=<16 comma seperated values>” in the “/nsconfig/rc.netscaler” file. If the “rc.netscaler” file doesn’t exist, create it under the “/nsconfig” folder, and then append the command.

Memory Overload Protection

If a NetScaler Packet Processing Engine (PPE) uses more memory than a specified high watermark value, it causes new connections to bypass TCP optimization. The existing connections (the ones that are admitted for optimization previously) continue getting optimization. Watermark is platform, build and license specific. For example, it’s 2.6GB for a T1100 running 11.0-64.x Telco build, while for other combinations it might differ. Its value has been purposefully selected and is not recommended for tuning.

Note

If you believe that there is a good reason to change that watermark value, contact Customer Support.

Support for Happy Eyeballs Clients

If the NetScaler appliance receives a SYN for a destination for which the state is unknown, the appliance first checks the reachability of the server and then acknowledges the client. This probing mechanism enables clients with dual IP stacks to discover the reachability of dual-stack internet servers. If the client discovers that both IPv6 and IPv4 access are available, it establishes a connection to the server that responds more quickly, and resets the other. For the connection for the NetScaler appliance receives a reset, it will reset the corresponding server side connection.  

Note

This feature has no user configurable TCP settings to be disabled/enabled on the NetScaler appliance. 

For more information about Happy Eyeballs support, see RFC 6555.