Understanding TCP Connection Queues: Full and Half‑Open Queues, Overflow, and Linux Tuning
This article explains how TCP full and half‑open connection queues work on Linux, why they overflow when the number of connections grows, and provides practical commands and kernel parameter adjustments such as backlog, somaxconn, and tcp_max_syn_backlog to resolve the issue.
Problem Analysis
A colleague reported that when the number of TCP connections approached 1024, the usable connections dropped to around 200 and new connections could not be established, despite normal GC and memory usage.
Key values extracted were 1024 , 200 , and "cannot establish new connection". The likely cause is TCP request overflow, so the recommendation was to increase the full connection queue and half connection queue thresholds.
Review TCP
The TCP three‑way handshake consists of:
Client sends SYN (state SYN_SEND ) and the server places the request in the half‑connection queue.
Server replies with SYN+ACK .
Client returns ACK ; the kernel moves the socket from the half‑connection queue to the full‑connection queue and the application calls accept() .
Linux maintains two queues: the SYN (half‑connection) queue and the accept (full‑connection) queue. When either queue is full, new connections are rejected.
Full Connection Queue
Queue Information
Use ss -lnt | grep 8888 to view the LISTEN state. In LISTEN, Recv‑Q shows the number of completed handshakes waiting for accept() , and Send‑Q shows the maximum queue length (e.g., 100).
# ss -lnt | grep 8888
LISTEN 0 100 :::8888 :::*In non‑LISTEN states, Recv‑Q and Send‑Q represent received but unread bytes and sent but unacknowledged bytes, respectively.
Queue Overflow
When the full‑connection queue overflows, the server drops incoming SYNs, leading to connection failures. Check overflow counts with netstat -s | grep overflowed or netstat -s | grep listen .
# netstat -s | grep overflowed
7102 times the listen queue of a socket overflowedRejection Policy
The kernel parameter tcp_abort_on_overflow controls the behavior when the queue is full. A value of 0 discards the ACK and retries SYN+ACK; a value of 1 immediately sends a RST to the client.
# cat /proc/sys/net/ipv4/tcp_abort_on_overflow
0Queue Adjustment
The size of the full‑connection queue is limited by the smaller of backlog (set in the listen() call or server config) and net.core.somaxconn (OS‑level). Increase both to avoid bottlenecks:
# sysctl -w net.core.somaxconn=1024Half Connection Queue
Queue Information
Connections in SYN_RECV state reside in the half‑connection queue. View its length with:
# netstat -natp | grep SYN_RECV | wc -l
1111Queue Overflow
If clients fail to send ACKs, the half‑connection queue fills, preventing SYNs from moving to the full queue—a common DDoS pattern.
Queue Adjustment
Increase the half‑connection queue by setting /proc/sys/net/ipv4/tcp_max_syn_backlog :
# echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlogConclusion
The article provides a concise overview of TCP full and half‑connection queues, their typical default sizes on CentOS (full: 128, half: 1024), symptoms of overflow, and practical Linux commands to monitor and tune these parameters for better server reliability.
IT Services Circle
Delivering cutting-edge internet insights and practical learning resources. We're a passionate and principled IT media platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.