TCP/IP Troubleshooting SET Parameters

Articles and Tips: article

01 May 2003

Taken from Technical Information

Document (TID) #2928543

http://support.novell.com/cgi-bin/search/searchtid.cgi?/2928543.htm

Use the following SET command parameters only at the request of Novell Technical Support engineers. Some of these SET parameters perform a large number of disk I/Os and will effect server performance when they are enabled or changed from their defaults.

SET TCP IP Maximum Small ECBS = 512 - 65534 (Default is 1024)

This parameter allows the setting of the small ECB (Event Control Block) pool. By default, 1024 buffers are pre-allocated for IP applications to use. Each small ECB buffer is 256 bytes in size, as opposed to the main ECBs that are the size of the maximum physical receive packet buffer, which defaults to 4224 bytes. Small ECBs are most common used when performing IP Fragmentation, when sending out an ICMP ECHO request, or when using the BorderManager/ICS DNS resolver code.

The default should normally be enough, but if IP appears to hang on the system, try allocating more small ECBs using this SET command. At the same time, verify that the "receive discarded, no available buffers" count that you can see through the MONITOR utility (MONITOR -> LAN/WAN DRIVERS) is at or is very close to Zero (0). Non-zero values may point to the following:

There are not enough pre-allocated packet receive buffers (increase the minimum number of packet receive buffers by a factor of 2), or
There may be a problem with the LAN card or driver--try exchanging this as a test.

SET TCP Minimum Retransmission Timeout = 2 - 6 (Default is 2)

If, for performance reasons, you detect a large number of retransmissions being sent at the TCP level (to check, go to TCPCON -> STATISTICS -> TCP -> Retransmissions), you may want to use this SET parameter to change the retransmission timeout from the default of 2 TCP ticks to 4 ticks (1 TCP Tick = 224ms).

Under normal conditions on a LAN, there should be no reason to change the default value. On a slow WAN link where latency is known to be an issue, there may be a need to increase this value (refer to the number of TCP retransmissions through the TCPCON utility before doing anything).

Note: Unnecessarily setting this parameter (for example, when trying to work around network problems) may decrease performance, depending on the type of application you are running. This is because TCP will wait longer before retransmitting any lost packets.

SET TCP Maximum Packet Retransmission = 5-12 (Default is 12)

In some cases where TCP-based fault tolerant applications need to switch over when a problem occurs, it may be useful to reduce the number of retransmissions so that the connection times out earlier. Once the fault-tolerant application detects that the initial connection has gone away through a reset, the application may then try to contact another host and proceed with what it has to do.

There is no specific SET parameter to reduce a TCP connection's timeout, so you will need to do this by reducing the number of retransmissions. Currently the stack retransmits requests 12 times, at which point it resets the connection of no ACK arrives from the other side. This can often take up to 10 minutes, based on the following facts:

Retransmissions take place exponentially (the first retransmission may take place after 1 second, the second after 2, the third after 4 and so on), and
There's a cap on the maximum timeout of 2 minutes (even if the exponential retransmission timeouts exceed 2 minutes, the stack will retransmit 2 minutes later)

Note: This retransmission SET parameter must be used with great care. Reducing the value too low could reset TCP connections unnecessarily when routing or network problems occur.

SET TCP Maximum Initial Window = 2-4 (Default is 4)

This is the maximum number of packets to use for the initial TCP window. Although this SET parameter defaults to 4 (as per the RFC2414 reference), it can be reduced to 2 or 3 if needed for performance reasons.

SET TCP Connection Establishment Timeout = 0-335 Ticks (75 Seconds)

If a customer is experiencing problems trying to establish TCP connections to a Novell server, it may be because the application has reached the maximum number of connections it can have in the half-open (or syn_received) state. You should first check the TCPCON utility under the PROTOCOLS-> TCP -> Connections field to verify if connections are stuck.

Use this SET parameter to change the TCP connection establishment timeout in ticks. By default, Novell's TCPIP stack can have five half-open TCP connections in the backlog queue. The backlog queue may be increased by the application when issuing a TCP listen request. Any new TCP connections coming in at this point will get dropped until one of the half-open connections is serviced.

Note: The SET Maximum Pending TCP Connection Requests allows application developers to increase the backlog queue size beyond the default of 128 if it needs to.

TCP connections can stay in the half-open state for up to 75 seconds. The above SET parameter allows you to drop the time the TCP connection stays in the half-open state. This SET command is to be used only for troubleshooting possible connection errors, and should NOT be used in a production environment.

Note: The "SET TCP DEFEND SYN ATTACKS=" parameter also effects the state of the half-open connections. When this parameter is enabled and the server OS hits the maximum number of allowed connections in the half-open state, the stack will clean up those connections (delete them) and issue a warning to the server console explaining that you may be experiencing a denial of service attack.

SET Allow Non Local Broadcasts

This SET parameter will enable the stack to allow processing of IP broadcast packets from a host with a non-local source IP address. When the stack processes an incoming broadcast, it will first check to see if the source IP address associated with the sender of the broadcast lies on the same IP subnet as our node. If it does not, it will drop the packet by default. By setting this parameter, it will force the stack to process the packet, even though the subnet check condition fails.

SET RIP2 Route Aggregation = ON/OFF (default is ON)

This SET parameter allows RIP2 to handle discontiguous subnet advertisements in a RIP2 packet. An example of where this parameter may be appropriate is in the following network design. Site A, with a network address 10.0.0.0/255.255.0.0 is connected to network 10.1.0.0/255.255.00 via the 137.65.0.0/255.255.0.0 network.

With the default TCPIP stack configuration, RIP2 will not advertise the 10.0.0.0/255.255.0.0 and 10.1.0/255.255.0.0 network addresses, but just the 10.0.0.0/255.0.0. Setting the above SET command to ON will make sure both networks get advertised.

SET Allow IP Address Duplicates=ON/OFF (Default is OFF)

By default, the TCPIP.NLM will not allow to bind IP Addresses that conflict with other nodes in the network. If you want to bind the IP Address, even if that address conflicts with another node on the network, set this variable to ON.

Note: This SET parameter should never be changed to ON in a production environment, but it may be useful in a test environment to help troubleshoot problems.

SET Maximum Pending TCP Connection Requests = 0-4096 (Default is 128)

Applications that currently increase the size of the backlog queue from the default 128 will need to correspondingly set the Maximum Number of Pending TCP Connections to beyond 128. This parameter will rarely need to be changed, although heavy LDAP traffic has created the necessity for this in the past.

SET TCP Defend SYN Attacks = ON/OFF (Default=OFF)

Enabling this SET parameter will clear all half-open connections when a the 32nd connection request is received (assuming the backlog queue set by the application is at 32). Then the 32nd request will be dropped, but the 33rd through n will be processed.

When these half-open connections are cleared, a message will be displayed at the server console explaining that you may be experiencing a "denial of service" attack. This message should be investigated to see if the system is actually being attacked, or whether the application (such as NetWare/IP, GroupWise) needs to increase the size of the backlog queue.

Disabling this SET parameter will not clear the half-opened connections. Then the 33rd connection request and beyond will be discarded until such time as one of the 32 connection request in the backlog queue moves to the fully-open (established) state, thereby freeing a connection slot in the backlog queue for processing.

Note: There is a timeout associated with connection requests. After 75 seconds by default, half-open connections with be cleared. This timeout can be changed using the SET TCP Connection Establishment Timeout as explained earlier in this article.

SET Always Allow IP Fragmentation = ON/OFF (Default = OFF)

This parameter's default makes sure that the DF (Don't fragment) bit is enabled/disabled in the FLAG field of the IP header. However, you may want to use this parameter in cases where large IP packets that require fragmentation fail.

Some intermediate routers may not support the Path MTU algorithm correctly and resulting ICMP destination unreachable packets may not contain correct information, or it may not be generated at all. These problems only occur with old style router operating systems. When such problems do occur, turn this SET parameter to ON.

SET TCP IP DEBUG = 0/1 (Default = 0, OFF)

This SET parameter dumps to a separate console screen all incoming and outgoing packets that are processed by the TCPIP.NLM. This information is useful in debugging problems with packet translation, filtering or connection issues.

When set to 1, the displayed information scrolls down very quickly on the system console screen and administrators may not be able to get all the information they require. The best way to capture the information is to run the CONLOG.NLM, set the Debug parameter to 1, capture the IP information, and lastly unload the CONLOG.NLM. The CONSOLE.LOG file located in the SYS:\ETC directory will contain all of the information that is written to the system console screen.

SET TCP Socket Debug = 0-4 (Default = 0)

This SET parameter dumps information regarding RAW sockets to a separate server console screen. Currently TCPIP.NLM does not support many raw sockets, hence this parameter cannot provide too much useful information. The settings are as follows:

Mode 1 shows basic information at the server console
Mode 2 shows basic information at both server console and SYS:ETC\TCPIP.LOG
Mode 3 shows advanced information at the server console
Mode 4 shows advanced information at both server console and SYS:ETC\TCPIP.LOG

SET TCP TRACE = 0-4 (Default = 0)

This parameter dumps information about the current state of the TCP connection table to a separate server console screen. The settings are as follows:

Mode 1 shows basic information at the server console screen.
Mode 2 shows basic information at both the server console screen and to the SYS:ETC\TCPxxxx.LOG file (where xxxx begins with 0000).
Mode 3 shows advanced information at the server console screen.
Mode 4 shows advanced information at both the server console screen and to the SYS:ETC\TCPxxxx.LOG file (where xxxx begins with 0000).

SET TCP ARP Debug = ON/OFF (Default = OFF)

This SET parameter is rarely required for support. When set to ON, this parameter dumps ECB information that is associated with every ARP packet that is generated or is processed. The parameter may be useful to use in cases where an abend occurs with an ARP packet process.

SET TCP ECB Debug = 0-4 (Default = 0)

This SET parameter prints Event Control Blocks that are given to IP_Send before sending the data. This information is useful for troubleshooting TCPIP abends or fragmentation issues with IP.

SET TCP IPCP DEBUG = 0-4 (Default = 0)

This SET parameter displays negotiated IPCP options when it is establishing a call over PPP with MPR. Mode 1 gives the calls. As you increment the mode number, the advancing modes dump information from within each call made to a server console screen.

For example, when an MPR router tries to establish a PPP call with an ISP (where the router requests the ISP to assign the MPR an IP address automatically), the following output will be sent to the system console when the IPCP SET command is enabled:


TCPIP:IPCP: RECEIVE ACK ADDRESS=0x1010103 /* our interface is 3.1.1.1! */

SET TCP RIP DEBUG = 0-4 (Default = 0)

This SET parameter is used to verify the sending of RIP requests on a server console screen. The mode settings are as follows:

Mode 1 shows RIP send information at the server console.
Mode 2 shows RIP send information at the server console (unload and load conlog to capture to a file).
Mode 3 shows RIP send/receive information at the server console.
Mode 4 shows RIP send/receive information at the server console (unload and load conlog to capture to a file).

SET TCP WAN DEBUG = 0-4 (Default = 0)

This SET parameter dumps IP (not CSL!) debug information to the server console screen when a WAN call is being made with the MPR. Mode 1 gives the calls. As you increment the mode number, the advancing modes dump information from within each call made to a server console screen.

To see other TCP/IP troubleshooting SET parameters, see TID #2928543, found at http://support.novell.com/cgi-bin/search/searchtid.cgi?/2928543.htm

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.