| Author |
Message
|
| Zappa |
 Posted: Wed Feb 22, 2012 1:58 am Post subject: keepalive and firewalls |
 |
|
Acolyte
Joined: 06 Oct 2005
Posts: 55
Location: UK
|
Hi,
We have JMS connections that go through a firewall to a SVRCONN channel and the idle timeout on the firewall is set to 30 minutes.
We get AMQ9208: Error on receive from host, The return code from the TCP/IP read() call was 73 (X'49').
Which I believe to be a TCP reset-by-peer and this is confirmed in the firewall log as an AGE OUT for the connection.
So I would like to send a keepalive packet and thought it would be a case of setting the KAINT on the channel def' to something less than the 30 minutes that is specified on the firewall.
I have changed the queue manager stanza file to have TCP: KeepAlive=yes.
But I still get the AMQ9208 reset-by-peer, what have I missed?
I guess my next step would be to take an iptrace and confirm the keepalive packet.
WMQ version 7.0.1.6 on AIX 6.1
Hope this isn’t a double posting – couldn’t find anything like it but any assistance would be most welcome. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Feb 22, 2012 3:19 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You need to ensure that the OS level TCP KeepAlive is set.
All that enabling it on the qm.ini does is say "Use the OS Level value".
So you should make sure that that is set to an appropriate value.
But you probably want heartbeating, not keepalive.  |
|
| Back to top |
|
|
| Zappa |
| Posted: Wed Feb 22, 2012 3:46 am Post subject: |
|
|
Acolyte
Joined: 06 Oct 2005
Posts: 55
Location: UK
|
Thanks
so I change the default OS tcp_keepidle = 14400 to be 1200?
But I’m a little confused about
| Quote: |
| heartbeating, not keepalive |
does that mean if I use a low value for HBINT I don’t need to use the OS keepalive?
Or do I change the KAINT to 0 as per
| Quote: |
| A KeepAlive Interval value of 0 indicates that channel-specific KeepAlive is not enabled for the channel and only the system-wide KeepAlive value set in TCP/IP will be used. |
.
Which makes me wonder what the KAINT is actually for. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Feb 22, 2012 4:08 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Zappa wrote: |
| ...Which makes me wonder what the KAINT is actually for. |
z/OS. Have a look at THIS discussion.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Feb 22, 2012 3:25 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
KAINT on channels at your MQ version are for mainframe only.
TCP Keep Alive at the QM level is valid, but it will not keep anything alive. Quite the contrary its there to notice orphaned channels on the QM (because the TCP socket on the other end is gone) and cleans up the orphaned channels.
Some firewalls do not consider a few bytes of data enough to consider the connection valid. Find out from your network people how many bytes how often need to flow over the connection to keep it valid.
Depending on the answer, MQ channel heart beats might be enough. Otherwise you'll have to gracefully end the connections yourself before the firewall does, or generate MQ API traffic every so often over the connection, like maybe a harmless MQINQ call to the QM. Kinda surprised that JMS isn't already hammering your QM with constant MQINQ calls or MQGETs polling the queue for new messages, but we don't know what your JMS app is coded to do exactly.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Zappa |
| Posted: Thu Feb 23, 2012 7:50 am Post subject: |
|
|
Acolyte
Joined: 06 Oct 2005
Posts: 55
Location: UK
|
Many thanks for the explanations, very helpful.  |
|
| Back to top |
|
|
|
|
