Apache Tomcat :: Apache Software Foundation

The Apache Tomcat Connectors - Common HowTo

Timeouts HowTo

Introduction

Setting communication timeouts is very important to improve the communication process. They help to detect problems and stabilise a distributed system. JK can use several different timeout types, which can be individually configured. For historical reasons, all of them are disabled by default. This HowTo explains their use and gives hints how to find appropriate values.

All timeouts can be configured in the workers.properties file. For a complete reference of all worker configuration items, please consult the worker reference. This page assumes, that you are using at least version 1.2.16 of JK. Dependencies on newer versions will be mentioned where necessary.

Do not set timeouts to extreme values. Very small timeouts will likely be counterproductive.

Long Garbage Collection pauses on the backend do not make a good fit with some timeouts. Try to optimise your Java memory and GC settings.

JK Timeout Attributes

CPing/CPong

CPing/CPong is our notion for using small test packets to check the status of backend connections. JK can use such test packets directly after establishing a new backend connection (connect mode) and also directly before each request gets send to a backend (prepost mode). Starting with version 1.2.27 it can also be used when a connection was idle for a long time (interval mode). The maximum waiting time (timeout) for a CPong answer to a CPing and the idle time in interval mode can be configured.

The test packets will be answered by the backend very fast with a minimal amount of needed processing resources. A positive answer tells us, that the backend can be reached and is actively processing requests. It does not detect, if some context is deployed and working. The benefit of CPing/CPong is a fast detection of a communication problem with the backend. The downside is a slightly increased latency.

The worker attribute ping_mode can be set to a combination of characters to determine, in which situations test packets are used:

  • C: connect mode, timeout ping_timeout overwritten by connect_timeout
  • P: prepost mode, timeout ping_timeout overwritten by prepost_timeout
  • I: interval mode, timeout ping_timeout, idle time connection_ping_interval
  • A: all modes

Multiple values must be concatenated without any separator characters. We recommend using all CPing tests. If your application is very latency sensitive, then you should only use the combination of connect and interval mode.

Activating the CPing probing via ping_mode has been added in version 1.2.27. For older versions only the connect and prepost modes exist and must be activated by explicitely setting connect_timeout and prepost_timeout.

The worker attribute ping_timeout sets the default wait timeout in milliseconds for CPong for all modes. By default the value is "10000" milliseconds. The value only gets used, if you activate CPing/Cpong probes via ping_mode. The default value should be fine, except if you experience very long Java garbage collection pauses. Depending on your network latency and stability, good custom values often are between 5000 and 15000 milliseconds. You can overwrite the timeout used for connect and prepost mode with connect_timeout and prepost_timeout. Remember: don't use extremely small values.

The worker attribute connect_timeout sets the wait timeout in milliseconds for CPong during connection establishment. You can use it if you want to overwrite the general timeout set with ping_timeout. To use connect mode CPing, you need to enable it via ping_mode. Since JK usually uses persistent connections, opening new connections is a rare event. We therefore recommend activating connect mode. Depending on your network latency and stability, good values often are between 5000 and 15000 milliseconds. Remember: don't use extremely small values.

The worker attribute prepost_timeout sets the wait timeout in milliseconds for CPong before request forwarding. You can use it if you want to overwrite the general timeout set with ping_timeout. To use prepost mode CPing, you need to enable it via ping_mode. Activating this type of CPing/CPong adds a small latency to each request. Usually this is small enough and the benefit of CPing/CPong is more important. So in general we also recommend using prepost_timeout. Depending on your network latency and stability, good values often are between 5000 and 10000 milliseconds. Remember: don't use extremely small values.

Until version 1.2.27 ping_mode and ping_timeout did not exist and to enable connect or prepost mode CPing you had to set connect_timeout respectively prepost_timeout to some reasonable positive value.

Low-Level TCP Timeouts

Some platforms allow to set timeouts for all operations on TCP sockets. This is available for Linux and Windows, other platforms do not support this, e.g. Solaris. If your platform supports TCP send and receive timeouts, you can set them using the worker attribute socket_timeout. You can not set the two timeouts to different values.

JK will accept this attribute even if your platform does not support socket timeouts. In this case setting the attribute will have no effect. By default the value is "0" and the timeout is disabled. You can set the attribute to some seconds value (not: milliseconds). JK will then set the send and the receive timeouts of the backend connections to this value. The timeout is low-level, it is used for each read and write operation on the socket individually.

Using this attribute will make JK react faster to some types of network problems. Unfortunately socket timeouts have negative side effects, because for most platforms, there is no good way to recover from such a timeout, once it fired. For JK there is no way to decide, if this timeout fired because of real network problems, or only because it didn't receive an answer packet from a backend in time. So remember: don't use extremely small values.

For the general case of connection establishment you can use socket_connect_timeout. It takes a millisecond value and works on most platforms, even if socket_timeout is not supported. We recommend using socket_connect_timeout because in some network failure situations failure detection during connection establishment can take several minutes due to TCP retransmits. Depending on the quality of your network a timeout somewhere between 1000 and 5000 milliseconds should be fine. Note that socket_timeout is in seconds, and socket_connect_timeout in milliseconds.

Connection Pools and Idle Timeouts

JK handles backend connections in a connection pool per web server process. The connections are used in a persistent mode. After a request completed successfully we keep the connection open and wait for the next request to forward. The connection pool is able to grow according to the number of threads that want to forward requests in parallel.

Most applications have a varying load depending on the hour of the day or the day of the month. Other reasons for a growing connection pool would be temporary slowness of backends, leading to an increasing congestion of the frontends like web servers. Many backends use a dedicated thread for each incoming connection they handle. So usually one wants the connection pool to shrink, if the load diminishes.

JK allows connections in the pool to get closed after some idle time. This maximum idle time can be configured with the attribute connection_pool_timeout which is given in units of seconds. The default value is "0", which disables closing idle connections.

We generally recommend values around 10 minutes, so setting connection_pool_timeout to 600 (seconds). If you use this attribute, please also set the attribute keepAliveTimeout (if it is set explicitly) or connectionTimeout in the AJP Connector element of your Tomcat server.xml configuration file to an analogous value. Caution: keepAliveTimeout and connectionTimeout must be given in milliseconds. So if you set JK connection_pool_timeout to 600, you should set Tomcat keepAliveTimeout or connectionTimeout to 600000.

JK connections do not get closed immediately after the timeout passed. Instead there is an automatic internal maintenance task running every 60 seconds, that checks the idle status of all connections. The 60 seconds interval can be adjusted with the global attribute worker.maintain. We do not recommend to change this value, because it has a lot of side effects. Until version 1.2.26, the maintenance task only runs, if requests get processed. So if your web server has processes that do not receive any requests for a long time, there is no way to close the idle connections in its pool. Starting with version 1.2.27 you can configure an independent watchdog thread when using Apache HTTP Server 2.x with threaded APR or Microsoft IIS.

The maximum connection pool size can be configured with the attribute connection_pool_size. We generally do not recommend to use this attribute in combination with Apache HTTP Server. For Apache we automatically detect the number of threads per process and set the maximum pool size to this value. For Microsoft IIS we use a default value of 250 (before version 1.2.20: 10), for the iPlanet Web Server the default is "1". We strongly recommend adjusting this value for IIS and the iPlanet Web Server to the number of requests one web server process should be able to send to a backend in parallel. You should measure how many connections you need during peak hours without performance problems, and then add some percentage depending on your growth rate etc. Finally you should check, whether your web server processes are able to use at least as many threads, as you configured as the pool size.

The JK attribute connection_pool_minsize defines, how many idle connections remain when the pool gets shrunken. By default this is half of the maximum pool size.

Firewall Connection Dropping

One particular problem with idle connections comes from firewalls, that are often deployed between the web server layer and the backend. Depending on their configuration, they will silently drop connections from their status table if they are idle for to long.

From the point of view of JK and of the web server, the other side simply doesn't answer any traffic. Since TCP is a reliable protocol it detects the missing TCP ACKs and tries to resend the packets for a relatively long time, typically several minutes. Therefore you should always use connection_pool_timeout and connection_pool_minsize on the JK side and keepAliveTimeout or connectionTimeout on the Tomcat side to prevent idle connection drop.

Furthermore using the boolean attribute socket_keepalive you can set a standard socket option, that automatically sends TCP keepalive packets after some idle time on each connection. By default this is set to false. If you suspect idle connection drops by firewalls you should set this to true.

Unfortunately the default intervals and algorithms for these packets are platform specific. You might need to inspect TCP tuning options for your platform on how to control TCP keepalive. Often the default intervals are much longer than the firewall timeouts for idle connections. Nevertheless we recommend talking to your firewall administration and your platform administration in order to make them agree on good configuration values for the firewall and the platform TCP tuning.

In case none of our recommendations help and you are definitively having problems with idle connection drops, you can disable the use of persistent connections when using JK together with Apache HTTP Server. For this you set "JkOptions +DisableReuse" in your Apache configuration. The amount of performance impact this will have depends on the details of your network and your firewall.

Reply Timeout

JK can also use a timeout on request replies. This timeout does not measure the full processing time of the response. Instead it controls, how much time between consecutive response packets is allowed.

In most cases, this is what one actually wants. Consider for example long running downloads. You would not be able to set an effective global reply timeout, because downloads could last for many minutes. Most applications though have limited processing time before starting to return the response. For those applications you could set an explicit reply timeout. Applications that do not harmonise with reply timeouts are batch type applications, data warehouse and reporting applications which are expected to observe long processing times.

If JK aborts waiting for a response, because a reply timeout fired, there is no way to stop processing on the backend. Although you free processing resources in your web server, the request will continue to run on the backend - without any way to send back a result once the reply timeout fired.

JK uses the worker attribute reply_timeout to set reply timeouts. The default value is "0" (timeout disabled) and you can set it to any millisecond value.

In combination with Apache HTTP Server, you can also set a more flexible reply_timeout using an Apache environment variable. If you set the variable JK_REPLY_TIMEOUT to some integer value, this value will be used instead of the value in the worker configuration. This way you can set reply timeouts more flexible with mod_setenvif and mod_rewrite depending on URI, query string etc. If the environment variable JK_REPLY_TIMEOUT is not set, or is set to a negative value, the default reply timeout of the worker will be used. If JK_REPLY_TIMEOUT contains the value "0", then the reply timeout will be disabled for the request.

In combination with a load balancing worker, JK will disable a member worker of the load balancer if a reply timeout fires. The worker will then no longer be used until it gets recovered during the next automatic maintenance task. Starting with JK 1.2.24 you can improve this behaviour using max_reply_timeouts. This attribute will allow occasional long running requests without disabling the worker. Only if those requests happen to often, the worker gets disabled by the load balancer.

Load Balancer Error Detection

Local and Global Error States

A load balancer worker does not only have the ability to balance load. It also handles stickyness and failover of requests in case of errors. When a load balancer detects an error on one of its members, it needs to decide, whether the error is serious, or only a temporary error or maybe only related to the actual request that was processed. Temporary errors are called local errors, serious errors will be called global errors.

If the load balancer decides that a backend should be put into the global error state, then the web server will not send any more requests there. If no session replication is used, this means that all user sessions located on the respective backend are no longer available. The users will be send to another backend and will have to login again. So the global error state is not transparent to the users. The application is still available, but users might loose some work.

In some cases the decision between local error and global error is easy. For instance if there is an error sending back the response to the client (browser), then it is very unlikely that the backend is broken. So this situation is a typical example of a local error.

Some situations are harder to decide though. If the load balancer can't establish a new connection to a backend, it could be because of a temporary overload situation (so no more free threads in the backend), or because the backend isn't alive any more. Depending on the details, the right state could either be local error or global error.

Error Escalation Time

Until version 1.2.26 most errors were interpreted as global errors. Starting with version 1.2.27 many errors which were previously interpreted as global were switched to being local whenever the backend is still busy. Busy means, that other concurrent requests are send to the same backend (successful or not).

In many cases there is no perfect way of making the decision between local and global error. The load balancer simply doesn't have enough information. In version 1.2.28 you can now tune, how fast the load balancer switches from local error to global error. If a member of a load balancer stays in local error state for too long, the load balancer will escalate it into global error state.

The time tolerated in local error state is controlled by the load balancer attribute error_escalation_time (in seconds). The default value is half of recover_time, so unless you changed recover_time the default is 30 seconds.

Using a smaller value for error_escalation_time will make the load balancer react faster to serious errors, but also carries the risk of more often loosing sessions in not so serious situations. You can lower error_escalation_time down to 0 seconds, which means all local errors which are potentially serious are escalated to global errors immediately.

Note that without good basic error detection the whole escalation procedure is useless. So you should definitely use socket_connect_timeout and activate CPing/CPong with ping_mode and ping_timeout before thinking about also tuning error_escalation_time.


Copyright © 1999-2018, Apache Software Foundation