tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luke Meyer <>
Subject Re: mod_jk - Firewall connection dropping
Date Wed, 11 Apr 2012 21:17:32 GMT
Just noticed what I was missing about connectionTimeout - it's the default for keepAliveTimeout.
So, that clears that up.

Still don't think it's a "huge negative performance impact!" to disable connection reuse.

----- Original Message -----
From: "Luke Meyer" <>
Sent: Tuesday, April 10, 2012 5:09:17 PM
Subject: mod_jk - Firewall connection dropping

I have some questions about the documentation at
regarding the Firewall Connection Dropping section. I don't think it's quite right, but maybe
I misunderstand. 

To quote the sections in question: 

" Many firewalls will allow connection closing, even if they dropped the connection for normal
traffic. Therefore you should always use connection_pool_timeout and connection_pool_minsize
on the JK side and connectionTimeout on the Tomcat side. 
In case none of our recommendations help and you are definitively having problems with idle
connection drops, you can disable the use of persistent connections when using JK together
with Apache httpd. For this you set "JkOptions +DisableReuse" in your Apache httpd configuration.
This will have a huge negative performance impact! " 

The recommendation to use connection_pool_timeout seems good - close connections that have
been idle so the firewall doesn't drop them. But I don't see what connectionTimeout on the
AJP connector has to do with keepalive timeouts - it seems to be for initial connections only.
I would think keepAliveTimeout is the way to get rid of connections that the firewall has
dropped - yes? 

I also don't understand why disabling reuse entirely is said to have a "huge negative performance
impact!" The only impact I can see is that you have to reopen a connection for each request.
If your servers are right next to each other on the network, or even on the same box, as is
typical in most AJP setups, then connection time is negligible. In my tests (on the same box)
the whole handshake took .1 millisecond - obviously, if there's some latency, that may be
a few milliseconds, but in the scenario where a firewall is dropping inactive connections,
I hardly think there would be so much throughput that this would matter. Certainly it's not
going to matter compared to the risk of threads being tied up on dead connections. And if
your network isn't perfect, but the latency is negligible, why not just disable reuse so you
never have to take that risk? 

And the biggest question... why does the default configuration assume that connections will
always either stay open forever or be properly closed? By default, if connections are dropped,
Tomcat eventually becomes unresponsive because the connector thread pool is exhausted, and
you must restart. This looks really bad. Why not have a default keepAliveTimeout value that
acknowledges the real world isn't perfect and frees threads from dead connections? 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message