[OpenAFS] fs: server not responding promptly

Jeffrey Altman jaltman@secure-endpoints.com
Thu, 10 Feb 2011 18:38:02 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD04A5B609943B3C75387D7CF
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

This issue might be callback related but may very well have nothing to
do with them at all.  The rx client behind a NAT will have no idea when
the NAT port mapping expires.  If there is an idle period, the client
will have what it believes to be a valid RX connection but at some point
the AFS server will see the client endpoint change from port X to port
Y.  When that happens the server will reject the RPC and send no
response since there might be an attack taking place.

The AFS client sees the timeout on that connection and (at least in the
Windows clients) will retry the RPC once with a new RX connection before
giving up.  If the client is storing a full chunk of data across a high
latency link, the timeout will be longer than it would be for a read
request.

"fs checkservers" does not help in this situation because the "fs
checkservers" will not cause the RX connection associated with the user
token (or PAG) to be refreshed.

The reality is that commodity off the shelf (COTS) routers intended for
the home market are designed to be cheap.   They have a minimum about of
memory to use for the port mapping tables and therefore expire or
recycle the port maps on a very frequent basis.  The Windows client will
probe DOWN servers every three minutes and UP servers every four.  If a
user is experiencing port mapping timeout problems, the IETF recommends
that the UP probe interval be reduced to 30 seconds.

This can be done on the Windows client by setting the following registry
value:

  HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
    DWORD  "daemonCheckUpInterval"  30 (decimal)

and then restarting the AFS Client Service.

Jeffrey Altman






--------------enigD04A5B609943B3C75387D7CF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJNVHbcAAoJENxm1CNJffh486kH/16vokZl89Tv0ttLUBPKTPaj
MDTRBU0gweZFcvXit6zsUuj8GHthOYTMylwtA+MbT+Ys71FkyGVWfAhesVkGqnFl
FBwnpHgqWx+0RNGRw03l//F+n7lKuT1pnVueK/ZXS5IapxD4FWt665OJV9543SMs
A7QmR3LPePzvZHjqTp9zQGhESLxtf3ZqlsOBcM2IMMEM3+Cfzg8D+a6pK3Zu88Oj
+KehjVU9IPG7AB0dK7Lj+MEv38m0SA2ApGY2ivlvL0yX0ThZZOntzfDi/xY/gmM2
BUYR/YTw+OIdBkaBu/XsOJKdpIpbj6Y8NsB4WGNVyNJBiUvYDdF6r5kwGKm6Om4=
=PtoM
-----END PGP SIGNATURE-----

--------------enigD04A5B609943B3C75387D7CF--