How to Configure Linux TCP keepalive Setting

TCP keepalive Setting

In line with the increase in internet users, the traffic and workload on the web server is also increased. Hence, the webmaster or system administrator needs to make sure that the web server is able to accommodate a sufficient number of TCP connections.

If your web server has begun to show an increase in the number of visitors, you may start planning to perform basic tcp tuning on the linux operating system.

On average, most people that visit the website or blog that comes from search engines only read a page just for 1-2 minutes. After they got the answer for what they really want, they simply leave the page and visit other sites. But the old opened connection still remains and unused for a long time.

For low and average number of website visitors, the default values for the keepalive parameter should be sufficient.

But for high concurrency web server or in a busy server, decrease timeouts on TCP sockets can help to clean up the tcp connections from clients that have been disconnected. This can be done by changing the default value of tcp_keepalive setting in sysctl.conf.

What is TCP Keepalive Setting?

TCP keepalive is a mechanism for TCP connections that help to determine whether the other end has stopped responding or not.

TCP will send the keepalive probe contains null data to the network peer several times after a period of idle time. If the peer does not respond, the socket will be closed automatically.

The application will then receive a notification about the socket closure, which it should handle in the correct manner.

Most of the operating systems and hosts that support TCP also support TCP Keepalive.

Basically, tuning some of the settings in sysctl.conf really help speeding things up under heavy usage.

Tunable TCP settings can be found on /proc/sys/net/ipv4

What are the default values of TCP KeepAlive setting ?

tcp_keepalive_time = 7200 (seconds)
tcp_keepalive_intvl = 75 (seconds)
tcp_keepalive_probes = 9 (number of probes)

TCP keepalive process waits for two hours (7200 secs) for socket activity before sending the first keepalive probe, and then resend it every 75 seconds. As long as there is TCP/IP socket communications going on and active, no keepalive packets are needed.

How to Configure Linux TCP keepalive Settings ?

Please note that the following tuning is for linux operating system only. This steps has been tested in CentOS 5/6/7, RHEL 5/6/7 and Oracle Linux 6/7.

Optionally you can do further tuning of the web applications level such as Apache or Nginx web server.

1. Edit your /etc/sysctl.conf

# vi /etc/sysctl.conf

2. Add the following setting :

net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6

Explanation for above parameter in section a), b) and c).

3. To load settings, enter the following command :

# sysctl -p

KeepAlive Parameter Details

a) Decrease the time default value for tcp_keepalive_time connection from 7200 seconds to 60 seconds. This determine the time of connection inactivity after which the first keep alive request is sent. Parameter below shows that the TCP will begin sending keepalive null packets after 1 minute.

net.ipv4.tcp_keepalive_time = 60

b) The following parameter (tcp_keepalive_intvl) determines the keepalive probe will resend every 10 seconds after first keep alive probe. This reduce from 75 seconds to 10 seconds gap or time interval between each of the keep alive probes.

net.ipv4.tcp_keepalive_intvl = 10

c) Next parameter (tcp_keepalive_probes) is expressed in the pure number. The following setting determine the number of probes before timing out. We recommend to reduce number of retransmitted from 9 to 6 before the connection is considered broken.

net.ipv4.tcp_keepalive_probes = 6

With this, your application will detect dead TCP connections after 120 seconds (60s + 10s + 10s + 10s + 10s + 10s + 10s).

How to Install and Setup Munin on CentOS 7

Munin on CentOS 7

Munin is open source and free software for monitoring computer system, network monitoring and application infrastructure monitoring software. Munin offers monitoring and alerting for servers, switches, applications, and services.

Munin can help system administrators to analyze the trend of the computer system whether it is experiencing problems or not. It can be an easier alternative to the popular open-source software zabbix monitoring.

In this article, I will explain how you can monitor your linux CentOS with Munin and the simple steps to install and setup Munin on CentOS 7.

Steps to Install and Setup Munin on CentOS 7

1. Enable or install the EPEL Repository into CentOS 7. Read more on how to Enable EPEL Repository on CentOS 7 / RHEL 7

2. Munin requires a web server to run. In this article, we will use apache. Install apache, Munin and Munin Node with yum command :

# yum install httpd munin munin-node -y

3. Start and enable apache and munin at boot.

# systemctl start httpd
# systemctl enable httpd
# systemctl start munin-node
# systemctl enable munin-node

4. We want munin to use the name centos72.ehowstuff.local instead of localhost. Please open edit the setting in /etc/munin/munin.conf

# vim /etc/munin/munin.conf

Original :

    use_node_name yes

Change to :

    use_node_name yes

5. You also have optional to change the munin node hostname :

# vim /etc/munin/munin-node.conf

Original :

host_name localhost.localdomain

Change to :

host_name centos72.ehowstuff.local

6. Next go to the Apache virtual host configuration file to add the permission to access your network.

# vim /etc/httpd/conf.d/munin.conf

Add network segment that you allow to access to the CentOS server.

AuthUserFile /etc/munin/munin-htpasswd
AuthName "Munin"
AuthType Basic
require valid-user

Order Deny,Allow
Deny from all
Allow from

7. Munin statistics page shall be protected by a username and password. We can add the new user (admin) and password to /etc/munin/munin-htpasswd with htpasswd command line. So we have to setup basic Apache authentication before we can start access the munin statistic page.

# htpasswd /etc/munin/munin-htpasswd admin
New password:
Re-type new password:
Adding password for user admin

8. Allow port 80 in the firewalld permanently. learn more how to configure Firewalld on CentOS 7.

a) Get default zone :

# firewall-cmd --get-active-zones
  interfaces: ens160

b) Allow port 80 permanently in firewalld :

# firewall-cmd --permanent --zone=public --add-port=80/tcp

c) reload the setting to take effect immediately :

# firewall-cmd --reload

d) List all active firewalld configuration :

# firewall-cmd --list-all
public (default, active)
  interfaces: ens160
  services: dhcpv6-client ssh
  ports: 80/tcp
  masquerade: no
  rich rules:

9. Try access munin statistic page from client.

Munin on CentOS 7