Tune 2 linux kernel parameters to reduce TIME_WAIT sockets.
net.ipv4.tcp_fin_timeout
This specifies how many seconds to wait for a final FIN packet before the socket is forcibly closed. This is strictly a violation of the TCP specification, but required to prevent denial-of-service attacks.
The default value is 60, but we highly recommend to change to smaller number like 30 or even 15 seconds.
net.ipv4.tcp_tw_reuse
This allows linux to use an existing connection with the TIME_WAIT state, but only for outgoing connections. It will help with connections you establish towards your backend servers, but it has absolutely no effect on incoming connections in any way. If you encounter local port exhausted don't increase local port range (net.ipv4.ip_local_port_range), please enable tcp_tw_reuse kernel parameter.
The default value is 0, but we highly recommend to change to 1.
https://vincent.bernat.ch/en/blog/2014-tcp-time-wait-state-linux
blog gives more details about how to cope with the TCP TIME_WAIT state on busy linux servers.
Key takeaways
- Enable net.ipv4.tcp_tw_reuse
- Do not enable net.ipv4.tcp_tw_recycle
- Enabling net.ipv4.tcp_tw_reuse is useless for incoming connections.
- The universal solution is to increase the number of possible quadruplets by using, for example, more server ports. This will allow you to not exhaust the possible connections with TIME-WAIT entries.
- On the client side, enabling net.ipv4.tcp_tw_reuse is another almost-safe solution.