TCP TIME_WAIT 连接太多

压测一个服务，性能卡住了上不去。错误信息提示是没有可分配端口。搜索发现别人也遇到过类似问题(linux 大量的TIME_WAIT解决办法)。

把解决配置摘录如下：

配置 tcp 连接参数 vim /etc/sysctl.conf 编辑文件，加入以下内容：

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30

另外，也要关注系统本身对资源限制: 配置 /etc/security/limits.conf，把值加大:

*       soft    nofile  65535
*       hard    nofile  65535
*       soft    nproc  65535
*       hard    nproc  65535

net.ipv4.tcp_fin_timeout 做了啥?

Stackoverflow 网友如是说:

Your link is urban myth. The actual function of net.ipv4.tcp_fin_timeout is as follows:

This specifies how many seconds to wait for a final FIN packet before the socket is forcibly closed. This is strictly a violation of the TCP specification, but required to prevent denial-of-service attacks. In Linux 2.2, the default value was 180.

This doesn't have anything to do with TIME_WAIT. It establishes a timeout for a socket in FIN_WAIT_1, after which the connection is reset (which bypasses TIME_WAIT altogether). This is a DOS measure, as stated, and should never arise in a correctly written client-server application. You don't want to set it so low that ordinary connections are reset: you will lose data. You don't want to fiddle with it at all, actually.

是时候破除迷思了！这个参数和 TIME_WAIT 没有直接关系。根据TCP/IP状态机，主动发起关闭的一方，将进入 FIN_WAIT_1 状态，等待接收 FIN 报文。 net.ipv4.tcp_fin_timeout 规定在 FIN_WAIT_1 状态的停留时间。时间一到，跳过 TIME_WAIT 状态，连接被强行关闭。