[OpenAFS] UDP timeouts

Jaap Winius jwinius@umrk.nl
Thu, 05 May 2011 14:42:54 +0200

Hi folks,

At my site all of the the OpenAFS servers are separated from the  
clients by stateful iptables firewalls that include NAT. The first  
OpenAFS clients had been running for less than week when I figured  
that the AFS packets being dropped by the firewall (mostly SPT=7000  
DPT=7001) might have something to do with the poor performance being  
experienced by the users.

Figuring that this would have something to do with UDP timeouts, I  
found an article somewhere* in which it was suggested that increasing  
the values for ip_conntrack_udp_timeout and  
ip_conntrack_udp_timeout_stream from the default 30 of seconds to  
28800 (8 hours) would solve things. It seems to have done the trick:  
AFS packets are no longer being dropped and the users say the system  
is performing much better.

But I'm worried now that 28800 is probably overdoing it. AFS  
connections over UDP don't seem to use a lot of random ports, but DNS  
does and I'm also running Bind9 behind the same firewalls. My worry is  
that this high timeout value may get me into trouble with things like  
spoofing and UDP port number recycling (i.e. running out of resources).

What's the best solution in this situation? Is a 28800-second timeout  
value for UDP connections okay, or can I do with less? Or, would it be  
an better idea to instead configure all of the workstations with the  
following command?

    fs checkservers -interval 10


Jaap Winius

*) http://www.cs.washington.edu/homes/bdferris/afs_conntrack_nat/index.html
    (okay, this advice may be outdated)