[rsyslog-notify] Forum Thread: Possible close connection issue - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Wed Sep 7 17:44:25 CEST 2016 

User: ChristopheH 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26928#p26928

Message: 
----------
(Sorry for the repost, I think Dev's corner wasn't the right place for this
one)
Hello,

I am working on finding the best rsyslog configuration for my env and I
found out something weird.

I have a rsyslog 8.21 running on a client (192.168.0.245) which sends logs
to two remotes rsyslog 8.21 server (192.168.0.234 and 192.168.0.153) using
imrelp/omrelp. Binaries are from the official repo.

When I shut one of them, the FIN/ACK begins but never ends.

Here's my tcpdump :
I shut rsyslogd on 192.168.0.234 and it warns the client, but never fully
close the connection

08:40:20.403046 IP 192.168.0.234.shell > 192.168.0.245.50318: Flags [P.],
seq 119:135, ack 239, win 434, options [nop,nop,TS val 945091672 ecr
599912227], length 16
08:40:20.403077 IP 192.168.0.245.50318 > 192.168.0.234.shell: Flags [.],
ack 135, win 418, options [nop,nop,TS val 599988310 ecr 945091672], length
0
08:40:20.403093 IP 192.168.0.234.shell > 192.168.0.245.50318: Flags [F.],
seq 135, ack 239, win 434, options [nop,nop,TS val 945091672 ecr
599912227], length 0
08:40:20.442418 IP 192.168.0.245.50318 > 192.168.0.234.shell: Flags [.],
ack 136, win 418, options [nop,nop,TS val 599988350 ecr 945091672], length
0

On the client, the connection stays in close_wait while the server is in
fin_wait then fin_wait2
client
tcp 32 0 192.168.0.245:50318 192.168.0.234:514 CLOSE_WAIT 29270/rsyslogd 
server
tcp 0 0 192.168.0.234:514 192.168.0.245:50318 FIN_WAIT2 - 

After a while, the connection disappear from the connection table on my
linux on the server side, while it stays in close_wait on the client

Then, I generate a log packet on the client

08:45:50.551775 IP 192.168.0.245.50318 > 192.168.0.234.shell: Flags [P.],
seq 239:380, ack 136, win 418, options [nop,nop,TS val 600318459 ecr
945091672], length 141
08:45:50.552865 IP 192.168.0.234.shell > 192.168.0.245.50318: Flags [R],
seq 3727375552, win 0, length 0

And it tries to use the previous connection and get a RST.

I expect the connection to be fully closed and, when I generate a new log
packet on the client, a new connection is setup before sending the log
packet.

Any idea what is wrong ?

More information about the rsyslog-notify mailing list