Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Contrail] Determining if TCP keepalive is enabled for a TCP connection



Article ID: KB34010 KB Last Updated: 25 Mar 2019Version: 1.0

Sometimes, users may observe excessive amount of TCP sessions dangling in the system and socket resource exhaustion, which may result in varied issues. In such cases, it may be necessary to determine whether a TCP connection has enabled the TCP keepalive (TCP-KA) feature.

This article briefly details the command that can be used to check whether TCP-KA is enabled.



The TCP-KA feature:

  • Must be supported by the kernel, and the Linux kernel does support it
  • Needs to be enabled per "socket," which means that it can be supported:
    • Only on the TCP client
    • Only on the TCP server side
    • On both the TCP client and TCP server side
  • Will not be enabled on the TCP session if it is not explicitly enabled by the TCP client or server application

A sample socket code to enable the TCP-KA feature is as follows:

setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, &optval, optlen)



To examine whether an existing TCP connection has TCP-KA enabled, use the netstat command as follows:

root@cont102:~# netstat -lnapo | grep 6379 | head
tcp        0      0*               LISTEN      520/redis-server 17 off (0.00/0/0)
tcp        0      0*               LISTEN      520/redis-server 17 off (0.00/0/0)
tcp        0      0    ESTABLISHED 520/redis-server 17 off (0.00/0/0)
tcp        0      0     ESTABLISHED 1623/python      keepalive (0.34/0/0)

root@cont102:~# ps 520
 520 ?        Ssl  620:28 /usr/bin/redis-server

root@cont102:~# ps 1623
 1623 ?        Sl   39864:11 /usr/bin/python /usr/bin/contrail-alarm-gen --conf_file /etc/contrail/contrail-keystone-auth.conf --conf_file  /etc/contrail/contrail-alarm-gen.

In this capture, the following can be seen:

  • As the TCP server, redis-server has not enabled the TCP-KA feature (off) on the server side.

  • As the TCP client, contrail-alarm-gen has enabled the TCP-KA feature (keepalive) on the client side.

Note: Some applications may provide a knob in their configuration file to turn the TCP-KA feature on and off, and some do not.

For example, for redis-server, the following knob can be modified to enable TCP-KA:

root@cont102:~# cat /etc/redis/redis.conf | grep keep
# TCP keepalive.
tcp-keepalive 0

Changing the tcp-keepalive parameter value to 60 and restarting the redis-server process will trigger the TCP-KA packets to be sent every 60 seconds on an idle session.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search