On Mon, 25 Oct 2010, Stephen Borrill wrote:
On Fri, 22 Oct 2010, Joerg Sonnenberger wrote:On Fri, Oct 22, 2010 at 11:01:03PM +0200, Manuel Bouyer wrote:Did you check if squid is hitting some ressource limit, maybe file descriptors ?Or sockets in time wait state.Tuan (my co-worked) will correct me if I'm wrong, but it's proving to be an ipfilter problem. With ipfilter disabled, there are literally zero errors (we did up file descriptors to 8192 BTW).
For the record, this turned out to be exhaustion of the ipfilter state table.
From sys/dist/ipf/netinet/ip_state.h: # define IPSTATE_SIZE 5737 # define IPSTATE_MAX 4013 /* Maximum number of states held */These need to be primes with IPSTATE_MAX being about 70% of IPSTATE_SIZE. So I increased these by adding the following to my kernel config file:
options IPSTATE_SIZE=30011 options IPSTATE_MAX=21011 I've tracked the usage with: ipfstat -sl | grep '^[^[:space:]]' | wc -l I've seen it go up to 11k or so. -- Stephen