-
morenitsvineet
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Oct 14, 2015 11:03 am
TCP recv error: Connection reset by peer
Hello,
We are using a Cyberoam Firewall Client at our Location. We did the setup for Ope VPn Connect and the Open VPN Connect is working fine when we are in home country location but when we try to use the same in country like China the Open VPN Connect App in Android is not working. After analysing the Log file we found that it is throwing an error as «TCP recv Error: Connection Reset by Peer». Then it again tries to reconnect but is not being successful.
Can you please let us know how we can solve this problem so that our personal VPN works in country like china.
Thanks in advance.
Regards
Vineet More
-
Traffic
- OpenVPN Protagonist
- Posts: 4071
- Joined: Sat Aug 09, 2014 11:24 am
Re: TCP recv error: Connection reset by peer
Post
by Traffic » Thu Oct 15, 2015 11:58 am
Have you heard of the «Great Firewall of China» ?
https://www.google.co.uk/#q=great+firewall+of+china
From the details you have posted:
morenitsvineet wrote:«TCP recv Error: Connection Reset by Peer»
either:
- the client has been disconnected deliberately by the user ..
- or some equipment is malfunctioning ..
- or the connection has been forcibly terminated by an intermediate system ..
If the latter then there is not much (anything) you can do about it.
This article claims it is possible to circumvent internet censorship:
https://community.openvpn.net/openvpn/w … bfuscation
But .. if you understand how these despotic governments impose such censorship
then you will understand how unlikely it is that you can out-wit them.
Connection Reset by peer means the remote side is terminating the session. This error is generated when the OS receives notification of TCP Reset (RST) from the remote peer.
Understanding Connection Reset by peer
Connection reset by peer means the TCP stream was abnormally closed from the other end. A TCP RST was received and the connection is now closed. This occurs when a packet is sent from our end of the connection but the other end does not recognize the connection; it will send back a packet with the RST bit set in order to forcibly close the connection.
“Connection reset by peer” is the TCP/IP equivalent of slamming the phone back on the hook. It’s more polite than merely not replying, leaving one hanging. But it’s not the FIN-ACK expected of the truly polite TCP/IP.
Understanding RST TCP Flag
RST is used to abort connections. It is very useful to troubleshoot a network connection problem.
RST (Reset the connection). Indicates that the connection is being aborted. For active connections, a node sends a TCP segment with the RST flag in response to a TCP segment received on the connection that is incorrect, causing the connection to fail.
The sending of an RST segment for an active connection forcibly terminates the connection, causing data stored in send and receive buffers or in transit to be lost. For TCP connections being established, a node sends an RST segment in response to a connection establishment request to deny the connection attempt. The sender will get Connection Reset by peer error.
Understanding TCP Flags SYN ACK RST FIN URG PSH
Check network connectivity
The “ping” command is a tool used to test the availability of a network resource. The “ping” command sends a series of packets to a network resource and then measures the amount of time it takes for the packets to return.
If you want to ping a remote server, you can use the following command: ping <remote server>
In this example, “<remote server>” is the IP address or hostname of the remote server that you want to ping.
Ping the remote host we were connected to. If it doesn’t respond, it might be offline or there might be a network problem along the way. If it does respond, this problem might have been a transient one (so we can reconnect now)
If you are experiencing packet loss when pinging a remote server, there are a few things that you can do to troubleshoot the issue.
The first thing that you can do is check the network interface on the remote server. To do this, use the “ifconfig” command. The output of the “ifconfig” command will show you the status of all network interfaces on the system. If there is a problem with one of the interfaces, it will be shown in the output.
You can also use the “ip route” command to check routing information. The output of the “ip route” command will show you a list of all routes on the system. If there is a problem with one of the routes, it will be shown in the output.
If you are still experiencing packet loss, you can try to use a different network interface. To do this, use the “ping” command with the “-i” option. For example, the following command will use the eth0 interface:
ping -i eth0 google.com
Check remote service port is open
A port is a logical entity which acts as a endpoint of communication associated with an application or process on an Linux operating system. We can use some Linux commands to check remote port status.
Commands like nc, curl can be used to check if remote ports are open or not. For example, the following command will check if port 80 is open on google.com:
nc -zv google.com 80
The output of the above command should look something like this: Connection to google.com port 80 [tcp/80] succeeded!
This means that the port is open and we can establish a connection to it.
6 ways to Check a remote port is open in Linux
Check application log on remote server
For example, if the error is related with SSH. we can debug this on the remote server from sshd logs. The log entries will be in one of the files in the /var/log directory. SSHD will be logging something every time it drops our session.
Oct 22 12:09:10 server internal-sftp[4929]: session closed for local user fred from [192.0.2.33]
Check related Linux kernel parameters
Kernel parameter is also related to Connection Reset by peer error. The keepalive concept is very simple: when we set up a TCP connection, we associate a set of timers. Some of these timers deal with the keepalive procedure. When the keepalive timer reaches zero, we send our peer a keepalive probe packet with no data in it and the ACK flag turned on.
we can do this because of the TCP/IP specifications, as a sort of duplicate ACK, and the remote endpoint will have no arguments, as TCP is a stream-oriented protocol. On the other hand, we will receive a reply from the remote host (which doesn’t need to support keepalive at all, just TCP/IP), with no data and the ACK set.
If we receive a reply to we keepalive probe, we can assert that the connection is still up and running without worrying about the user-level implementation. In fact, TCP permits us to handle a stream, not packets, and so a zero-length data packet is not dangerous for the user program.
we usually use tcp keepalive for two tasks:
- Checking for dead peers
- Preventing disconnection due to network inactivity
Check Application heartbeat configuration
Connection Reset by peer error is also related to the application. Certain networking tools (HAproxy, AWS ELB) and equipment (hardware load balancers) may terminate “idle” TCP connections when there is no activity on them for a certain period of time. Most of the time it is not desirable.
We will use rabbitmq as an example. When heartbeats are enabled on a connection, it results in periodic light network traffic. Therefore heartbeats have a side effect of guarding client connections that can go idle for periods of time against premature closure by proxies and load balancers.
With a heartbeat timeout of 30 seconds the connection will produce periodic network traffic roughly every 15 seconds. Activity in the 5 to 15 second range is enough to satisfy the defaults of most popular proxies and load balancers. Also see the section on low timeouts and false positives above.
Check OS metric on peer side
Connection Reset by peer can be triggered by a busy system. we can setup a monitoring for our Linux system to the metrics like CPU, memory, network etc. If the system is too busy, the network will be impacted by this.
For example, we can use the “top” command to check the CPU usage. The output of the “top” command will show us the list of processes sorted by CPU usage. If there is a process which is using a lot of CPU, we can investigate this further to see if it is causing the network issues.
We can also use the “netstat” command to check network statistics. The output of the “netstat” command will show us a list of active network connections. If there are too many connections established, this could be causing the network issues.
We can use these commands to troubleshoot network issues on a Linux system. By using these commands, we can narrow down the root cause of the issue and fix it.
Monitoring Linux System with Telegraf Influxdb Grafana
Troubleshoot Network Slow Problems In Linux
The connection reset by peer is a TCP/IP error that occurs when the other end (peer) has unexpectedly closed the connection. It happens when you send a packet from your end, but the other end crashes and forcibly closes the connection with the RST packet instead of the TCP FIN, which is used to close a connection under normal circumstances. In Go, you can detect the connection reset by peer by checking if the error returned by the peer is equal to syscall.ECONNRESET.
Reproduce the connection reset by peer error
We can reproduce the error by creating a server and client that do the following:
- the server reads a single byte and then closes the connection
- the client sends more than one byte
If the server closes the connection with the remaining bytes in the socket’s receive buffer, then an RST packet is sent to the client. When the client tries to read from such a closed connection, it will get the connection reset by peer error.
See the following example, which simulates this behavior.
package main
import (
"errors"
"log"
"net"
"os"
"syscall"
"time"
)
func server() {
listener, err := net.Listen("tcp", ":8080")
if err != nil {
log.Fatal(err)
}
defer listener.Close()
conn, err := listener.Accept()
if err != nil {
log.Fatal("server", err)
os.Exit(1)
}
data := make([]byte, 1)
if _, err := conn.Read(data); err != nil {
log.Fatal("server", err)
}
conn.Close()
}
func client() {
conn, err := net.Dial("tcp", "localhost:8080")
if err != nil {
log.Fatal("client", err)
}
if _, err := conn.Write([]byte("ab")); err != nil {
log.Printf("client: %v", err)
}
time.Sleep(1 * time.Second) // wait for close on the server side
data := make([]byte, 1)
if _, err := conn.Read(data); err != nil {
log.Printf("client: %v", err)
if errors.Is(err, syscall.ECONNRESET) {
log.Print("This is connection reset by peer error")
}
}
}
func main() {
go server()
time.Sleep(3 * time.Second) // wait for server to run
client()
}
Output:
2021/10/20 19:01:58 client: read tcp [::1]:59897->[::1]:8080: read: connection reset by peer
2021/10/20 19:01:58 This is connection reset by peer error
Handle the connection reset by peer error
Typically, you can see the connection reset by peer error in response to a request being sent from the client to the server. It means that something bad has happened to the server: it has rebooted, the program has crashed, or other problems have occurred that cause the connection to be forcibly closed. Since TCP connections can be broken, there is no need to handle the connection reset by peer in any special way on the client side. You can log the error, ignore it or retry the connection when it occurs. In the example above, we detect the error using the errors.Is() function by checking if the returned error is an instance of syscall.ECONNRESET.
Difference between connection reset by peer and broken pipe
Both connection reset by peer and broken pipe errors occur when a peer (the other end) unexpectedly closes the underlying connection. However, there is a subtle difference between them. Usually, you get the connection reset by peer when you read from the connection after the server sends the RST packet, and when you write to the connection after the RST instead, you get the broken pipe error.
Check how to handle the
broken pipeerror in Go post, where will find another example of generating anRSTpacket and thebroken pipeerror.
Replace the client() function in the example above with the following code to reproduce the broken pipe error.
func client() {
conn, err := net.Dial("tcp", "localhost:8080")
if err != nil {
log.Fatal("client", err)
}
if _, err := conn.Write([]byte("ab")); err != nil {
log.Printf("client: %v", err)
}
time.Sleep(1 * time.Second) // wait for close on the server side
if _, err := conn.Write([]byte("b")); err != nil {
log.Printf("client: %v", err)
}
}
With the new client, you will see the output:
2021/10/20 19:55:40 client: write tcp [::1]:60399->[::1]:8080: write: broken pipe
Note that these simple examples do not cover all cases where connection reset by peer and broken pipe may occur. There are much more situations where you can see these errors, and what error you see in what situation requires a deep understanding of the TCP design.
Having trouble with cURL 56 recv failure connection reset by peer in the CentOS server?
The error occurs mainly due to failure in receiving network data.
At Bobcares, we often get requests to fix cURL errors as part of our Server Management Services.
Today, let’s get into the details on how our Support Engineers fix this error.
Why does cURL 56 recv failure connection reset by peer occurs?
cURL error 56 is a temporary error that happens due to different reasons like, idle server connection, firewall restrictions, whitespace in the URL, etc.
For instance, the error appears as follows.
Let’s detail how our Support Engineers fix this for our customers.
How we fix this error cURL error?
At Bobcares, we have more than a decade of expertise in managing servers, we see many customers facing errors. It happens mainly when fetching package updates, installing new software, etc.
Now, let’s see the major reasons and how our Support Engineers fix this error.
Idle server connection
Recently, one of the customers approached us with a cURL error. He was getting the following error while transferring the backup to the remote destination.
cURL error 56: TCP connection reset by peerSo we checked the backup log files and confirmed that the backups have been generated successfully.
On further checking, we found that the server was idle while transferring the backups to the remote destination. However, the backups were successfully exported to Google drive.
In addition, to avoid this situation, the tips we follow are:
- We always upgrade the user’s OS to avoid TCP/IP issues.
- Also, we use the recent versions of PHP and cURL.
- Set the Maximum Transmission Unit (MTU) or the size of packets traveling over the network to the default value, 1500 bytes.
- We ensure that the firewall is not blocking the user’s connection.
Bad repository
Often bad repository URL can also trigger curl 56 errors.
For instance, while trying to install PHP on CentOS7 server one of our customers received the error:
Loaded plugins: fastestmirror, langpacks
http://mirror.xxx.net/el7-x86_64/rpms/ ... repomd.xml: [Errno 14] curl#56 - "Recv failure: Connection reset by peer"
Trying other mirror.Here, the customer was using an outdated repository and that caused the error. Therefore, we corrected the repo settings on the server and the package install went on fine.
Similarly, the repository may fail to load due to DNS resolution failures as well. In such scenarios, we make use of the /etc/hosts files to map the repo website to the correct IP address.
Whitespace in the URL
Another customer approached us with a similar problem.
On further investigation, we found whitespace in the URL. We then removed whitespace from the URL.
And in the PHP settings, we added the following.
curl_setopt($ch, CURLOPT_URL, trim($url));In addition, If whitespace is a valid part of the URL, we use rawurlencode() function in PHP, to store the URL as encoded including whitespace.
[Need assistance in fixing cURL errors? – We can help you.]
Conclusion
In short, cURL 56 recv failure connection reset by peer in CentOS occurs when the server is idle due to running a long process or due to improper usage of URL. Today, we saw how our Support Engineers fixed the error.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
var google_conversion_label = «owonCMyG5nEQ0aD71QM»;
Здравствуйте. Имеется сервер fastvps.ru/dedicated тариф EX-4, установлена ОС Debian-70-wheezy-64. Крутится один основной сайт, на связке nginx и php-fpm. Если нагрузить сайт тестом Siege буквально 10 потоками, то в лог начинают валиться ошибки:
readv() failed (104: Connection reset by peer) while reading upstream
recv() failed (104: Connection reset by peer) while reading response
Optcache включен. Помогите разобраться, что не так с конфигами? Судя по всему, дело в php-fpm.
Конфиг php-fpm:
cosmopolite.ru/php_fpm.txt
Конфиг nginx:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
proxy_read_timeout 500;
proxy_connect_timeout 500;
client_max_body_size 100M;
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
include /usr/local/ispmgr/etc/nginx.domain;
}-
Вопрос заданболее трёх лет назад
-
36590 просмотров
Siege разорвал соединение, пока nginx получал данные от php-fpm или что там у тебя в /etc/nginx/conf.d/*.conf;
Начни с тестов без php, сделай каталог с простым index.html и натрави туда. Если ошибки остались, дело в кол-во обработчиков: 4 процесса по 768 медленнее, чем 1 процесс с 3072 сокетами на современном железе. Подними worker_connections до 2048 хотя бы.
Далее с backlog
Через sysctl net.core.somaxconn узнай значение backlog, если оно меньше параметра worker_connections то в sysctl.conf увеличивай до значения = worker_connections
Такое же значение укажи в fpm listen.backlog
Пригласить эксперта
Попробуйте в конфиге пула fpm’а установить
pm = static
pm.max_children = 60
и посмотреть, скажется ли это в положительную сторону на вашем тесте.
Если да, то вам нужно регулировать значения
pm.max_children pm.max_spare_servers в режиме dynamic.
Их значения будут зависеть от профиля вашей нагрузки, насколько он равномерный или наоборот «пиковый».
А чем вам не нравиться static ? У Вас как я погляжу на сервере 16Гб оперативки, не так уж и много займут воркеры в «пустом» состоянии.
Была такая проблема. Решилась выставлением правильного владельца на файлы
sudo chown -R www-data:www-data /var/www/mysite.com
Проблема шире чем кажется:
Надо понимать, что это означает — отвалился php
отвалиться он может по нескольким причинам:
1) лимиты в самом php.ini — первое из них время выполнения php скрипта
2) лимиты удержания сокета (конекта) настройки php-fpm
3) лимиты ожидания ответа от php-fpm со стороны nginx
4) все процессы заняты (умерли)
И вот когда все таймауты правильно настроенны и вас нет ооооочень долго выполняющихся скриптов — тогда все чики пуки.
Тюнить надо одновременно все эти 4 составляющие, понимаю взаимодействие.
-
Показать ещё
Загружается…
10 февр. 2023, в 04:49
50000 руб./за проект
10 февр. 2023, в 02:20
3000 руб./за проект
10 февр. 2023, в 01:33
1500 руб./за проект
Минуточку внимания
What? Connection reset by peer?
We are running Node.js web services behind AWS Classic Load Balancer. I noticed that many 502 errors after I migrate AWS Classic Load Balancer to Application Load Balancer. In order to understand what happened, I added Nginx in front of the Node.js web server, and then found that there are more than 100 ‘connection reset’ errors everyday in Nginx logs.
Here are some example logs:
2017/11/12 06:11:15 [error] 7#7: *2904 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 172.18.0.1, server: localhost, request: "GET /_healthcheck HTTP/1.1", upstream: "http://172.18.0.2:8000/_healthcheck", host: "localhost" 2017/11/12 06:11:27 [error] 7#7: *2950 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 172.18.0.1, server: localhost, request: "GET /_healthcheck HTTP/1.1", upstream: "http://172.18.0.2:8000/_healthcheck", host: "localhost" 2017/11/12 06:11:31 [error] 7#7: *2962 upstream prematurely closed connection while reading response header from upstream, client: 172.18.0.1, server: localhost, request: "GET /_healthcheck HTTP/1.1", upstream: "http://172.18.0.2:8000/_healthcheck", host: "localhost" 2017/11/12 06:11:44 [error] 7#7: *3005 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 172.18.0.1, server: localhost, request: "GET /_healthcheck HTTP/1.1", upstream: "http://172.18.0.2:8000/_healthcheck", host: "localhost" 2017/11/12 06:11:47 [error] 7#7: *3012 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 172.18.0.1, server: localhost, request: "GET /_healthcheck HTTP/1.1", upstream: "http://172.18.0.2:8000/_healthcheck", host: "localhost"
Analyzing the errors
The number of errors was increased after I migrate Classic LB to Application LB, and one of the differences between them is Classic LB is using pre-connected connections, and Application LB only using Http/1.1 Keep-Alive feature.
From the documentation of AWS Load Balancer:
Possible causes:
- The load balancer received a TCP RST from the target when attempting to establish a connection.
- The target closed the connection with a TCP RST or a TCP FIN while the load balancer had an outstanding request to the target.
- The target response is malformed or contains HTTP headers that are not valid.
- A new target group was used but no targets have passed an initial health check yet. A target must pass one health check to be considered healthy
Because there’s no any errors on Node.js side, so I’m guessing it was because of the keep-alive behaviour. There’s no upstream keep-alive timeout settings in the current Nginx version (1.13.6), then I tried Tengine – a taobao forked nginx which support upstream keepalive timeout. After running a couple of days, there’s no such errors any more. In order to understand what’s causing the issue, I tried to reproduce it on my local machine.
Capture network packages
In order to send a request at the same time when Node.js closing the connection after keep-alive timeout, I need to keep requesting the url until the issue reproduced. Here’s my settings for the testing environment:
Upstream (Node.js server):
- Set keep-alive timeout to 500 ms
Test client:
- Keep sending requests with an interval
- Interval starts from 500 ms and decrease 1 ms after each request
For the normal requests, upstream send a [FIN, ACK] to nginx after keep-alive timeout (500 ms), and nginx also send a [FIN, ACK] back, then upstream send a [ACK] to close the connection completely.
No. Time Source Destination Protocol Length Info
1 2017-11-12 17:11:04.299146 172.18.0.3 172.18.0.2 TCP 74 48528 → 8000 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=32031305 TSecr=0 WS=128
2 2017-11-12 17:11:04.299171 172.18.0.2 172.18.0.3 TCP 74 8000 → 48528 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=32031305 TSecr=32031305 WS=128
3 2017-11-12 17:11:04.299194 172.18.0.3 172.18.0.2 TCP 66 48528 → 8000 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=32031305 TSecr=32031305
4 2017-11-12 17:11:04.299259 172.18.0.3 172.18.0.2 HTTP 241 GET /_healthcheck HTTP/1.1
5 2017-11-12 17:11:04.299267 172.18.0.2 172.18.0.3 TCP 66 8000 → 48528 [ACK] Seq=1 Ack=176 Win=30080 Len=0 TSval=32031305 TSecr=32031305
6 2017-11-12 17:11:04.299809 172.18.0.2 172.18.0.3 HTTP 271 HTTP/1.1 200 OK (text/html)
7 2017-11-12 17:11:04.299852 172.18.0.3 172.18.0.2 TCP 66 48528 → 8000 [ACK] Seq=176 Ack=206 Win=30336 Len=0 TSval=32031305 TSecr=32031305
8 2017-11-12 17:11:04.800805 172.18.0.2 172.18.0.3 TCP 66 8000 → 48528 [FIN, ACK] Seq=206 Ack=176 Win=30080 Len=0 TSval=32031355 TSecr=32031305
9 2017-11-12 17:11:04.801120 172.18.0.3 172.18.0.2 TCP 66 48528 → 8000 [FIN, ACK] Seq=176 Ack=207 Win=30336 Len=0 TSval=32031355 TSecr=32031355
10 2017-11-12 17:11:04.801151 172.18.0.2 172.18.0.3 TCP 66 8000 → 48528 [ACK] Seq=207 Ack=177 Win=30080 Len=0 TSval=32031355 TSecr=32031355
For the failed requests, the upstream closed the connection after keep-alive timeout (500 ms), the client sends a new http request before it receives and processes the [FIN] package. Because of the connection has been closed from upstream’s perspective, so it send a [RST] response for this request. This would happen in following scenarios:
- Upstream hasn’t send the [FIN] package yet (pending to send package at network layer)
- Upstream has sent the [FIN] package, but client hasn’t received it yet
- Client received the [FIN] package, but hasn’t processed it yet
Example of the first scenario, hasn’t send [FIN] yet:
No. Time Source Destination Protocol Length Info
433 2017-11-12 17:11:26.548449 172.18.0.3 172.18.0.2 TCP 74 48702 → 8000 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=32033530 TSecr=0 WS=128
434 2017-11-12 17:11:26.548476 172.18.0.2 172.18.0.3 TCP 74 8000 → 48702 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=32033530 TSecr=32033530 WS=128
435 2017-11-12 17:11:26.548502 172.18.0.3 172.18.0.2 TCP 66 48702 → 8000 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=32033530 TSecr=32033530
436 2017-11-12 17:11:26.548609 172.18.0.3 172.18.0.2 HTTP 241 GET /_healthcheck HTTP/1.1
437 2017-11-12 17:11:26.548618 172.18.0.2 172.18.0.3 TCP 66 8000 → 48702 [ACK] Seq=1 Ack=176 Win=30080 Len=0 TSval=32033530 TSecr=32033530
438 2017-11-12 17:11:26.549173 172.18.0.2 172.18.0.3 HTTP 271 HTTP/1.1 200 OK (text/html)
439 2017-11-12 17:11:26.549230 172.18.0.3 172.18.0.2 TCP 66 48702 → 8000 [ACK] Seq=176 Ack=206 Win=30336 Len=0 TSval=32033530 TSecr=32033530
440 2017-11-12 17:11:27.049668 172.18.0.3 172.18.0.2 HTTP 241 GET /_healthcheck HTTP/1.1
441 2017-11-12 17:11:27.050324 172.18.0.2 172.18.0.3 HTTP 271 HTTP/1.1 200 OK (text/html)
442 2017-11-12 17:11:27.050378 172.18.0.3 172.18.0.2 TCP 66 48702 → 8000 [ACK] Seq=351 Ack=411 Win=31360 Len=0 TSval=32033580 TSecr=32033580
443 2017-11-12 17:11:27.551182 172.18.0.3 172.18.0.2 HTTP 241 GET /_healthcheck HTTP/1.1
444 2017-11-12 17:11:27.551294 172.18.0.2 172.18.0.3 TCP 66 8000 → 48702 [RST, ACK] Seq=411 Ack=526 Win=32256 Len=0 TSval=32033630 TSecr=32033630
Example of the second scenario, Sent [FIN] at the same time of receiving a new request:
No. Time Source Destination Protocol Length Info 13 2018-06-15 21:40:00.522110 127.0.0.1 127.0.0.1 TCP 68 50678 > 8000 [SYN] Seq=0 Win=65535 Len=0 MSS=16344 WS=32 TSval=1503957438 TSecr=0 SACK_PERM=1 14 2018-06-15 21:40:00.522210 127.0.0.1 127.0.0.1 TCP 68 8000 > 50678 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=16344 WS=32 TSval=1503957438 TSecr=1503957438 SACK_PERM=1 15 2018-06-15 21:40:00.522219 127.0.0.1 127.0.0.1 TCP 56 50678 > 8000 [ACK] Seq=1 Ack=1 Win=408288 Len=0 TSval=1503957438 TSecr=1503957438 16 2018-06-15 21:40:00.522228 127.0.0.1 127.0.0.1 TCP 56 [TCP Window Update] 8000 > 50678 [ACK] Seq=1 Ack=1 Win=408288 Len=0 TSval=1503957438 TSecr=1503957438 17 2018-06-15 21:40:00.522315 127.0.0.1 127.0.0.1 HTTP 189 GET / HTTP/1.1 18 2018-06-15 21:40:00.522358 127.0.0.1 127.0.0.1 TCP 56 8000 > 50678 [ACK] Seq=1 Ack=134 Win=408160 Len=0 TSval=1503957438 TSecr=1503957438 19 2018-06-15 21:40:00.522727 127.0.0.1 127.0.0.1 HTTP 261 HTTP/1.1 200 OK (text/html) 20 2018-06-15 21:40:00.522773 127.0.0.1 127.0.0.1 TCP 56 50678 > 8000 [ACK] Seq=134 Ack=206 Win=408064 Len=0 TSval=1503957438 TSecr=1503957438 21 2018-06-15 21:40:01.025685 127.0.0.1 127.0.0.1 HTTP 189 GET / HTTP/1.1 22 2018-06-15 21:40:01.025687 127.0.0.1 127.0.0.1 TCP 56 8000 > 50678 [FIN, ACK] Seq=206 Ack=134 Win=408160 Len=0 TSval=1503957939 TSecr=1503957438 23 2018-06-15 21:40:01.025748 127.0.0.1 127.0.0.1 TCP 44 8000 > 50678 [RST] Seq=206 Win=0 Len=0 24 2018-06-15 21:40:01.025760 127.0.0.1 127.0.0.1 TCP 56 50678 > 8000 [ACK] Seq=267 Ack=207 Win=408064 Len=0 TSval=1503957939 TSecr=1503957939 25 2018-06-15 21:40:01.025769 127.0.0.1 127.0.0.1 TCP 44 8000 > 50678 [RST] Seq=207 Win=0 Len=0
When the client receives the [RST] package, it will log a ‘Connection reset’ error.
Testing Code
This issue is a generic issue when closing the connection on the server side while HTTP keep-alive enabled, so you can easily reproduce it by clone the example code (Node.js) from https://github.com/weixu365/test-connection-reset
npm install npm start # In a separate terminal npm run client
- Upstream Node.js Web Server
const express = require('express');
const app = express();
app.get('/', (req, res) => res.send('OK'));
const port = process.env.PORT || 8000;
app.listen(port, () => {
console.log(`Listening on http://localhost:${port}`)
})
.keepAliveTimeout = 500;
- Test client in Node.js
const axios = require('axios');
const Bluebird = require('bluebird');
const HttpAgent = require('agentkeepalive');
const keepAliveOption = {
freeSocketKeepAliveTimeout: 30 * 1000, // Should be less than server keep alive timeout
socketActiveTTL: 50 * 1000 // Should be less than dns ttl
};
const httpAgent = new HttpAgent(keepAliveOption);
let host = 'http://localhost:8000';
let path = '/';
const httpClient = axios.create({
baseURL: host,
timeout: 5000,
});
const sendRequest = () =>
httpClient.request({
url: path,
httpAgent,
})
.then(res => {
console.log('Received response', res.status);
})
.catch(e => {
console.error('Error occurred', e.message);
});
let delay=501;
const start = () =>
sendRequest()
.then(() => delay -= 1)
.then(() => delay > 450 ? Bluebird.delay(delay).then(start) : 'Done')
start();
- Capture network packages
tcpdump -i eth0 tcp port 8000 -w /tmp/connection.pcap
- Nginx config (Optional)
upstream nodejs {
least_conn;
server chalice:8000 fail_timeout=1s max_fails=3;
keepalive 16;
}
server_tokens off;
log_format detailed escape=json
'{'
'"timestamp": "$time_iso8601",'
'"remote_addr": "$remote_addr",'
'"upstream_addr": "$upstream_addr",'
'"connection": "$connection",'
'"connection_requests": "$connection_requests",'
'"request_time": "$request_time",'
'"upstream_response_time": "$upstream_response_time",'
'"status": "$status",'
'"upstream_status": "$upstream_status",'
'"body_bytes_sent": "$body_bytes_sent ",'
'"request": "$request",'
'"http_user_agent": "$http_user_agent"'
'}';
access_log /var/log/nginx/access.log detailed;
server {
listen 80;
server_name localhost;
location / {
proxy_http_version 1.1;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarder-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header Connection "";
proxy_pass http://nodejs;
}
}
References:
- https://github.com/weixu365/test-connection-reset
-
#1
I am currently trying to repair a cPanel Server. There is a cURL Error only on Internal Websites hosted by the Server.
On the outside network, cURL works fine but if we cURL Internally, like curl whatever.com:443 or curl https://whatever.com , Its connection is reset.(Whatever.com is hosted on the same server)
The Server currently runs on Litespeed. Any Idea how to resolve this error? (All Server PHP Modules are updated from EA4 and Server is on Version 96. cURL is also updated)
-
#2
Can you paste the output for the below commands from another machine and from the server hosting this domain ifself:
Code:
#curl -vvv http://whatever.com
#curl -vvv https://whatever.com
-
#3
Can you paste the output for the below commands from another machine and from the server hosting this domain ifself:
Code:
#curl -vvv http://whatever.com #curl -vvv https://whatever.com
Code:
[[email protected] ~]# curl whatever.com
curl: (56) Recv failure: Connection reset by peer
[[email protected] ~]# curl whatever.com:443
curl: (56) Recv failure: Connection reset by peer
[[email protected] ~]# curl http://whatever.com
curl: (56) Recv failure: Connection reset by peer
[[email protected] ~]# curl https://whatever.com
curl: (56) Recv failure: Connection reset by peer
[[email protected] ~]# curl -vvv whatever.com
* About to connect() to aback.in port 80 (#0)
* Trying x.x.x.x...
* Connected to whatever.com (x.x.x.x) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: whatever.com
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peerTried everything but this seems to be the issue with Litespeed in cPanel Only. Litespeed is also working!
- LiteSpeed is running (PID = 3303271, Apache_Port_Offset = 0). Apache is not running.
Normal HTTP and HTTPS requests work correctly and cURL from Remote Machines also do work but only Internally, cURL is having problems in Hosted Websites on the server.
-
#4
Problem Solved.
The Anti-DDOS Blocked IP in Litespeed WebServer was blocking 127.0.0.1 and Server’s Public IP Address. Checked it from Real-Time Stats in Webadmin Console.
The Problem is in Litespeed Server. Their Default Configuration in Access Control List(Trusted IP) is as follows:
Code:
127.0.0.1, ALL, (My Server IP)The Configuration should be:
Code:
127.0.0.1T,ALL, (My Server IP)TThe Trailing T stands for Trusted which created all the difference.
-
#5
Glad to know you were able to fix it.
