From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LzvLE-0006Dp-BT for qemu-devel@nongnu.org; Fri, 01 May 2009 12:12:00 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LzvL9-00065b-6Q for qemu-devel@nongnu.org; Fri, 01 May 2009 12:11:59 -0400 Received: from [199.232.76.173] (port=43587 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LzvL9-00065L-0a for qemu-devel@nongnu.org; Fri, 01 May 2009 12:11:55 -0400 Received: from rcsinet12.oracle.com ([148.87.113.124]:27151 helo=rgminet12.oracle.com) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1LzvL8-0008HA-IC for qemu-devel@nongnu.org; Fri, 01 May 2009 12:11:54 -0400 Message-ID: <49FB1F3C.8080805@oracle.com> Date: Fri, 01 May 2009 17:11:40 +0100 From: John Haxby MIME-Version: 1.0 Subject: Re: [Qemu-devel] PATCH: enabling TCP keepalives - v3 References: <49F9FEBA.6050901@gmail.com> <20090501113204.GA10763@amd.home.annexia.org> <49FAEFDD.2070002@gmail.com> <20090501152312.GH13308@redhat.com> <49FB1AC3.2040804@redhat.com> In-Reply-To: <49FB1AC3.2040804@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Avi Kivity Cc: David Ahern , qemu-devel@nongnu.org, "Richard W.M. Jones" Avi Kivity wrote: > Daniel P. Berrange wrote: >> You don't neccessarily always get a different IP for VPN connections, >> as administrators may well choose to give users a fixed IP for their >> VPN client. I'm not entirely against keepalives, but I thing making >> it drop the connection after a mere 60 seconds is way too quick, if this >> is enabled by default. I'd be more inclined to just have it use the >> kernel defaults for timeouts >> > > That's around two hours. > > I understand the wariness when it comes to dropping connections, but > vnc is a reconnectable protocol; it isn't like you lose any data. If > the connection drops for two minutes it is useless anyway. > Two hours is typically too long and 60 seconds is overly aggressive. Connection tracking devices often have a 10 minute timeout for idle connections -- the connection will magically evaporate after 600s of idle time. In my experience, VPN connections usually last hours if there's a keepalive of some sort keeping them going. It doesn't matter what the keepalive is, just so long as there's _some_ traffic keeping it ticking over. Usually it's enough to set the default keepalive time (sysctl -w net.ipv4.tcp_keepalive_time=540, for example) -- in some cases keepalives don't make it through the network and you need some sort of application ping, but that's comparatively unusual. From a Linux perspective, I'd be inclined to just enable keepalives on the connection and let the user set the default keepalive interval if it's needed. For those people that have seriously dodgy VPN connections that no amount of keepalive will keep up, they need some alternative. Probably starting with a new VPN :-) jch