PHWinfo - Afficher un message - Difficulty identifying what process is causing sockets stuck in SYN_SENT state on host. Also seeing other odd behavior.

31/10/2006, 16h03

I'm ing out with an excessive streams memory usage problem we're
seeing on certain SCO 5.0.5 boxes under our care. Said boxes are at the
latest patch level. No, upgrading them is not an option at this time.

The machines in question "grow" pages of sockets stuck in the SYN_SENT
state; only a reboot will clear them. Notice how each port is used
twice. Example:

(The host name has been changed to protect the innocent)

f1c0ee00 tcp 0 0 HOST.3654 *.*
SYN_SENT
f1c0d600 tcp 0 0 HOST.3654 *.*
SYN_SENT
f23a5a00 tcp 0 0 HOST.3642 *.*
SYN_SENT
f23a4000 tcp 0 0 HOST.3642 *.*
SYN_SENT
f1c0ea00 tcp 0 0 HOST.3630 *.*
SYN_SENT
f1c0d200 tcp 0 0 HOST.3630 *.*
SYN_SENT
f1c0e400 tcp 0 0 HOST.3619 *.*
SYN_SENT
f18ebe00 tcp 0 0 HOST.3619 *.*
SYN_SENT
f1c0dc00 tcp 0 0 HOST.3608 *.*
SYN_SENT
f1c0d800 tcp 0 0 HOST.3608 *.*
SYN_SENT
f18ebc00 tcp 0 0 HOST.3596 *.*
SYN_SENT

SCO "netstat" is not particularly full featured and "lsof -i
tcp:[TROUBLE PORT]" (ver. 4.51) gives no output; it's almost as if
something is trying to initiate a connection without defining a
destination address. I'm having a devil of a time identifying what
process is causing these hung connections. These are production
machines so I cannot tinker with them much. Of course I can't reproduce
the problem in our lab.

Additionally, I'm seeing the host machine connect to itself on
duplicate port numbers. My understanding is that there's nothing
outright egregious in the following, but something seems fishy about
having dozens of similar pairs open.

f1eaaa00 tcp 0 0 HOST.1037 HOST.1121
ESTABLISHED
f1eaac00 tcp 0 0 HOST.1121 HOST.1037
ESTABLISHED
f1eaa600 tcp 0 0 HOST.1056 HOST.1116
ESTABLISHED
f1eaa800 tcp 0 0 HOST.1116 HOST.1056
ESTABLISHED
f1319200 tcp 0 0 HOST.1061 HOST.1112
ESTABLISHED
f1319400 tcp 0 0 HOST.1112 HOST.1061
ESTABLISHED

Sometimes the port numbers are in clean pairs as in the above and other
times I'll see a particular port in use on many multiple connections.
In the latter case, "lsof" reveals a Java process is involved and the
machine will have a tangled web of self referential ESTABLISHED
connections.

It's been a long time since I've messed with Unix sockets and I feel
like I'm overlooking something painfully obvious.

Thanks for any suggestions.

31/10/2006, 16h03	#1
phreon@gmail.com Messages: n/a Hébergeur:	Difficulty identifying what process is causing sockets stuck in SYN_SENT state on host. Also seeing other odd behavior. I'm ing out with an excessive streams memory usage problem we're seeing on certain SCO 5.0.5 boxes under our care. Said boxes are at the latest patch level. No, upgrading them is not an option at this time. The machines in question "grow" pages of sockets stuck in the SYN_SENT state; only a reboot will clear them. Notice how each port is used twice. Example: (The host name has been changed to protect the innocent) f1c0ee00 tcp 0 0 HOST.3654 . SYN_SENT f1c0d600 tcp 0 0 HOST.3654 . SYN_SENT f23a5a00 tcp 0 0 HOST.3642 . SYN_SENT f23a4000 tcp 0 0 HOST.3642 . SYN_SENT f1c0ea00 tcp 0 0 HOST.3630 . SYN_SENT f1c0d200 tcp 0 0 HOST.3630 . SYN_SENT f1c0e400 tcp 0 0 HOST.3619 . SYN_SENT f18ebe00 tcp 0 0 HOST.3619 . SYN_SENT f1c0dc00 tcp 0 0 HOST.3608 . SYN_SENT f1c0d800 tcp 0 0 HOST.3608 . SYN_SENT f18ebc00 tcp 0 0 HOST.3596 . SYN_SENT SCO "netstat" is not particularly full featured and "lsof -i tcp:[TROUBLE PORT]" (ver. 4.51) gives no output; it's almost as if something is trying to initiate a connection without defining a destination address. I'm having a devil of a time identifying what process is causing these hung connections. These are production machines so I cannot tinker with them much. Of course I can't reproduce the problem in our lab. Additionally, I'm seeing the host machine connect to itself on duplicate port numbers. My understanding is that there's nothing outright egregious in the following, but something seems fishy about having dozens of similar pairs open. f1eaaa00 tcp 0 0 HOST.1037 HOST.1121 ESTABLISHED f1eaac00 tcp 0 0 HOST.1121 HOST.1037 ESTABLISHED f1eaa600 tcp 0 0 HOST.1056 HOST.1116 ESTABLISHED f1eaa800 tcp 0 0 HOST.1116 HOST.1056 ESTABLISHED f1319200 tcp 0 0 HOST.1061 HOST.1112 ESTABLISHED f1319400 tcp 0 0 HOST.1112 HOST.1061 ESTABLISHED Sometimes the port numbers are in clean pairs as in the above and other times I'll see a particular port in use on many multiple connections. In the latter case, "lsof" reveals a Java process is involved and the machine will have a tangled web of self referential ESTABLISHED connections. It's been a long time since I've messed with Unix sockets and I feel like I'm overlooking something painfully obvious. Thanks for any suggestions.