Disclaimer: this article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.
Question
The SLB instance is subjected to a stress test. A 504 status code or a request timed out. The URL of the stress testing is configured with a URL forwarding rule that is not enabled for health check.
Cause
View the SLB instance log in the log service, I find that 504 status code occurs in most requests. However, upstream_response_time values are very regular, and the response time is 5 seconds at the same time. This is a case where the TCP three-way handshake between SLB and the backend server fails, resulting in a 504 status code timeout.
NoteNote: To view the log, you must activate log service.
Log on to the backend server. Verify that the Nginx log content is normal, but the "nf_conntrack: table full, dropping packet" error exists in the messages log. This information is because Linux generates a new connection entry for each data packet that passes through the kernel network stack. When the server processes many connections, the connection tracking table cannot record the new connection entry, and the server discards the new connection data packet. Therefore, the three-way handshake between the SLB instance and the backend server TCP fails, and a 504 status code occurs.
Answer
We recommend that you adjust the nf_conntrack parameter as follows. Replace this parameter with the actual value.
NoteNote: This method allows you to modify parameters temporarily. After you restart the instance, the configuration does not take effect.
sysctl -w net.netfilter.nf_conntrack_max=1048576 sysctl -w net.netfilter.nf_conntrack_buckets=262144 sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
Confirm that the stress testing is normal.
Application scope
SLB