1

My setup consists of two apache servers like in this diagram:

|Apache | >==Reverse Proxy Connection====> |Apache |
|Server1| <==Response through conntrack==< |Server2|

After a successful HTTP connection from Server 1 to Server 2, the latter sends a TCP [FIN,ACK] packet.

This packet is properly acknowledged by Server 1 with a TCP [ACK] packet. The connection is now in the CLOSE-WAIT state.

Then, almost 600 Seconds later, Server 1 sends TCP [FIN,ACK] to Server 2, which responds with TCP [RST].

This packet is marked by conntack as 'invalid' and never makes it to Server 1 (due to an iptables rule), resulting in Server 1 retransmitting the TCP [FIN,ACK] packet more than 20 times. This is because nf_conntrack has a timeout of 60 seconds for a TCP connection in the CLOSE-WAIT state.

Packet Capture

  • Why does Apache keep the TCP connection in the close-wait state for that long and why does the counterpart respond with RST?
bit151
  • 43
  • 1
  • 7
  • 1
    You may find a part of your answer [here](https://serverfault.com/questions/160558/how-to-not-get-so-many-apache-close-wait-connections) and in the comments there is another serverfault page that expands on it. – Aaron Feb 05 '21 at 22:25

0 Answers0