You can verify and update the TCP/IP parameter values if
you observe timeout failures when you access a directory server.
If an LDAP server is protected behind a firewall, socket connection
requests might timeout and can result in intermittent authentication
failures. The socket connection request failures are because of a
mismatch between the connection timeout settings of firewall and the
frequency of keep alive network packets of an operating system.
If socket connection failures occur, decrease the operating system
network parameters that control the interval between the keep alive
packets. The interval between two subsequent keep alive packers are
also referred as the keep alive interval.
The parameters that control the keep alive frequency vary with
each operating system. You must set the keep alive interval value
lesser than the connection timeout value of the firewall. If you do
not know the value of the firewall setting, set keep alive interval
value to 2 minutes and verify.
The closed TCP/IP connections between the client and the LDAP server
are cleaned at system-specified intervals. The LDAP server performance
might degrade in environments where the connections are opened or
closed at a high frequency. On Microsoft Windows systems, you can modify
the registry keys to reduce the interval between the cleaning process.
- AIX®
- To change the TCP/IP parameter values on an AIX system, run the following command:
no -o parametername=value
- You can use the command to change the following parameter values:
- tcp_keepidle
- Specifies the duration of time to keep the connection active.
If you set this parameter, TCP generates a
KEEPALIVE
transmission
for an application that requests to keep connection active. This value
is defined in half second (1/2
) unit and defaults
to 14,400 units (7200 seconds or 2 hours). The tcp_keepidle parameter
is a runtime parameter. You must assign a value to tcp_keepidle that
is less than the connection timeout value of the firewall. If you
do not know the value of the firewall setting, set keep alive interval
value to 2 minutes and verify.
- tcp_keepinit
- Sets the initial timeout value for a TCP connection. This value
is defined in half second (
1/2
) unit, and defaults
to 150 (75 seconds). You can change the value with the -o parameter.
The tcp_keepinit parameter is a runtime parameter.
- tcp_keepintvl
- Specifies the interval between packets that are sent to validate
the connection. This value is defined in half second (
1/2
)
unit, and defaults to 150 (75 seconds). The tcp_keepintvl parameter
is a runtime parameter.
- Windows
- To change the TCP/IP settings on a Windows system, set the following registry
keys:
Note: You must set the parameters on both the client and server
systems.
- Access the command prompt.
- Run the regedit command to open Registry Editor.
> regedit
- In the Registry Editor window, expand .
- If the
TcpTimedWaitDelay
entry is not in the
registry, add TcpTimedWaitDelay
.
- Set the
DWORD
value of the TcpTimedWaitDelay
entry
to 1e
, which sets the value to 30 seconds.
- If the
StrictTimeWaitSeqCheck
entry is not in
the registry, add TcpTimedWaitDelay
.
- Set the
DWORD
value of the StrictTimeWaitSeqCheck
entry
to 1
.
- Restart the system.
- Linux®
To change the TCP/IP parameter values on a Linux system temporarily until the next restart,
run the following command:
sysctl -w net.ipv4.parametername = value
To set the values permanently, run the following command:
- Update /etc/sysctl.conf file with:
net.ipv4.parametername = value
- Run the following command:
- RHEL
chkconfig sysctl on
- SUSE
chkconfig boot.sysctl on
- You can use this command to change the following parameter values:
- tcp_keepalive_time
- Specifies the interval between the last data packet sent and the
first keepalive probe in seconds.
- tcp_keepalive_intvl
- Specifies the interval between subsequent keepalive probes in
seconds.
- tcp_keepalive_probes
- Specifies the number of probes that are sent and unacknowledged
before the client considers the connection broken and notifies the
application layer.
- Solaris
- To change the TCP/IP parameter values on a Solaris system, run
the following command:
ndd -set /dev/tcp parameternamevalue
- You can use this command to change the following parameter values:
- tcp_time_wait_interval
- Specifies the duration that a TCP connection stays in TIME-WAIT
state in milliseconds.
- tcp_keepalive_interval
- Specifies the the interval between probes in milliseconds.