Each service should have the following items defined in the services database:

• OpenVMS user account (also in user authorization file [UAF])
• Unique port number
• Protocol
• Name and location of the startup command procedure and log file
• Service parameters (for example, timeouts, privileges)
• Flags

If these items are not defined correctly, or if the service account privileges and file protections are not assigned correctly, the service will fail to respond to an incoming request. This failure may be logged in the service-specific log file.

To display information about a service, enter the TCPIP command SHOW SERVICE /FULL and specify the service name. For example:

$ TCPIP TCPIP> SHOW SERVICE /FULL TELNET Service: TELNET (1) State: Enabled Port: 23 Protocol: TCP Address: 0.0.0.0 Inactivity: 1 User_name: not defined Process: not defined Limit: 57 Active: 12 Peak: 14 File: not defined Flags: Listen Rtty Socket Opts: Keepalive Rcheck Scheck (2) Receive: 3000 Send: 3000 Log Opts: Actv Dactv Conn Error Logi Logo Mdfy Rjct (3) File: not defined Security (4) Reject msg: not defined Accept host: 0.0.0.0 Accept netw: 0.0.0.0 TCPIP>

1. This section displays information about the service: service name, process name, user name, port and interface on which the service is listening, whether the service is enabled or disabled, and the number of copies of the service that can run at one time.
2. This section displays the socket options that the service uses. The service's socket options can be changed dynamically, though it is unlikely that someone would change them. If you suspect that improper socket options are in effect, you can reestablish the default values by disabling the service, running TCPIP$CONFIG, and then enabling the service.
3. This section displays the name of the log file that receives event messages and the events that the service will log. Checking the log file may indicate the cause of a problem.
4. This security section displays a list of hosts and networks that are specifically given or denied access to the service. If one system is unable to access a service, check this section to see whether the system or its associated network is being denied the service.

To check the privileges associated with a service's process, enter a command for the process, as follows:

$ INSTALL LIST/FULL TCPIP$SMTP_RECEIVER DISK$VMS721:<SYS0.SYSCOMMON.SYSEXE>.EXE TCPIP$SMTP_RECEIVER;1 Open Hdr Shared Prv Entry access count = 20 Current / Maximum shared = 1 / 1 Global section count = 1 Privileges = SYSPRV Authorized = SYSPRV $ INSTALL LIST/FULL TCPIP$FTP_CHILD DISK$VMS721:<SYS0.SYSCOMMON.SYSEXE>.EXE TCPIP$FTP_CHILD;1 Open Hdr Shared Prv Entry access count = 42 Current / Maximum shared = 1 / 3 Global section count = 1 Privileges = PSWAPM OPER Authorized = PSWAPM OPER

1.2.9.4 Verifying Account Privileges

To determine the privileges associated with the service's account, run the OpenVMS Authorize utility and then use the SHOW command with the process name of the service, as follows:

A72KT: SET DEFAULT SYS$SYSTEM A72KT: RUN AUTHORIZE UAF> SHOW TCPIP$SNMP Username: TCPIP$SNMP Owner: TCPIP$SNMP Account: TCPIP UIC: [3655,13] ([TCPIP$AUX,TCPIP$S NMP]) CLI: DCL Tables: DCLTABLES Default: SYS$SYSDEVICE:[TCPIP$SNMP] LGICMD: LOGIN Flags: Restricted Primary days: Mon Tue Wed Thu Fri Secondary days: Sat Sun Primary 000000000011111111112222 Secondary 000000000011111111112222 Day Hours 012345678901234567890123 Day Hours 012345678901234567890123 Network: ##### Full access ###### ##### Full access ###### Batch: ----- No access ------ ----- No access ------ Local: ----- No access ------ ----- No access ------ Dialup: ----- No access ------ ----- No access ------ Remote: ----- No access ------ ----- No access ------ Expiration: (none) Pwdminimum: 6 Login Fails: 0 Pwdlifetime: 90 00:00 Pwdchange: (pre-expired) Last Login: (none) (interactive), 7-AUG-2000 12:45 (non-interactive) Maxjobs: 0 Fillm: 50 Bytlm: 52200 Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0 Maxdetach: 0 BIOlm: 18 JTquota: 4096 Prclm: 8 DIOlm: 18 WSdef: 350 Prio: 8 ASTlm: 100 WSquo: 512 Queprio: 4 TQElm: 15 WSextent: 512 CPU: (none) Enqlm: 100 Pgflquo: 10240 Authorized Privileges: NETMBX TMPMBX Default Privileges: NETMBX TMPMBX

1.2.9.5 Looking for OPCOM Messages

The following is another method of detecting failure of the auxiliary server to start a service:

1. Enter the following commands:

   $ SET PROCESS /PRIVILEGE=OPER (1) $ SET AUDIT /ALARM /ENABLE=FAILURE (2) $ REPLY/ENABLE=NETWORK (3)

   1. Enables your process with operator privileges.
   2. Enables security auditing to log unsuccessful object attempts.
   3. Establishes your terminal as an operator's terminal.
2. After you enter these commands, have a remote user try to connect to the service on the local system.
3. Review any OPCOM messages for indications of the problem.

This chapter describes how to adjust TCP/IP variables to improve network performance.

2.1 Kernel Subsystems

The TCP/IP Services kernel contains the following subsystems:

• inet
• net
• socket
• iptunnel
• ipv6
• snmpinfo

Each subsystem has attributes that you can change to affect the performance of the network. You can display and modify these attributes values by using the sysconfig command.

The following sections describe how to perform these tasks:

• Display kernel subsystems and attributes ( Section 2.1.1 )
• Test attribute support ( Section 2.1.2 )
• Modify attribute values ( Section 2.1.4 )

To display kernel subsystems, enter the following command:

$ TCPIP TCPIP> sysconfig -s inet: loaded and configured net: loaded and configured socket: loaded and configured iptunnel: loaded and configured ipv6: loaded and configured snmpinfo: loaded and configured TCPIP>

To display the attributes of a particular subsystem, enter a command similar to the following:

TCPIP> sysconfig -q socket socket: sbcompress_threshold = 0 sobacklog_drops = 0 sobacklog_hiwat = 3 somaxconn = 1024 somaxconn_drops = 0 sominconn = 0 TCPIP>

2.1.2 Testing Attribute Support

To determine support for an attribute, use the sysconfig -q subsystem [attribute] command.

If you do not specify an attribute, the system displays all the subsystem attributes that can be modified with the sysconfig command. If the subsystem is not configured, sysconfig displays a message similar to the following:

framework error: subsystem 'inet' not found

If you specify an attribute, the sysconfig command displays only information about that attribute. For example:

# sysconfig -q inet tcbhashsize inet: tcbhashsize = 32

If the attribute is not supported or if it cannot be accessed by using sysconfig , sysconfig displays a message similar to the following message:

inet: tcbhashsize = unknown attribute

For more information about using the sysconfig command, see Appendix A.

2.1.3 Displaying Attribute Values

Use the following methods to display attribute values:

• The sysconfig -q subsystem [attribute] command displays the permanent value for attributes. If you do not specify an attribute, the system displays all the subsystem attributes that can be modified with the sysconfig command.
  If you specify an attribute, information about only that attribute is displayed. For example:

  TCPIP> sysconfig -q inet tcp_rexmtmax inet: tcp_rexmtmax = 128 TCPIP>

• The sysconfig -Q subsystem [attribute] command displays the maximum and minimum values that you can specify for attributes. If you do not specify an attribute, the system displays all the subsystem attributes that can be modified with the sysconfig command.
  If you specify an attribute, information about only that attribute is displayed. For example:

  TCPIP> sysconfig -Q inet tcp_rexmtmax inet: tcp_rexmtmax - type=INT op=CRQ min_val=1 max_val=2147483647 TCPIP>

For more information about the sysconfig command, see the Appendix A .

2.1.4 Modifying Attribute Values

The /etc/sysconfigtab subsystem attribute database file contains modifications to the default attribute values. Various methods are available to modify attribute values.

You may be able to modify an attribute temporarily by changing only its current value. This allows you to determine whether modifying an attribute will improve your system performance. Not all attributes can be changed dynamically.

Temporary modifications are lost when you reboot the system.

To modify an attribute's current value, use the following method:

• The sysconfig -r command allows you to modify the current value of an attribute if the attribute supports this operation:

  sysconfig -r subsystem attribute=value

  
  For example:

  TCPIP> sysconfig -r inet tcp_keepinit=30 tcp_keepinit: reconfigured TCPIP>

For information about the sysconfig command, see Appendix A.

2.2 Modifying Kernel Subsystems

Most resources used by the network subsystem are allocated and adjusted dynamically. However, you can make some adjustments to improve performance.

Table 2-1 summarizes the adjustments you can make, lists performance benefits and the adjustments that will achieve them, along with the tradeoffs (where applicable) associated with each adjustment.

Table 2-1 Network Tuning Guidelines

Performance Benefit	Tuning Adjustment	Tradeoff
Reduce the number of dropped incoming connection requests.	Increase the maximum number of pending TCP connections (Section 2.2.1.1).	Consumes memory resources.
Allow each server socket to handle more SYN packets simultaneously.	Increase the minimum number of pending TCP connections (Section 2.2.1.2).	Consumes memory resources.
Allow for a larger socket buffer.	Increase the maximum socket buffer size (Section 2.2.1.3).	Consumes memory. If you have a large number of sockets, memory consumption could be of concern.
Improve the TCP control block lookup rate and increase the raw connection rate.	Increase the size of the hash table that the kernel uses to look up TCP control blocks (Section 2.2.2.1).	Slightly increases the amount of pooled memory.
Reduce hash table lock contention for SMP systems.	Increase the number of TCP hash tables (Section 2.2.2.2).	Slightly increases the amount of pooled memory.
Improve performance on systems that use large numbers of interface alias.	Increase the size of the kernel interface alias table (Section 2.2.2.3).	None.
Allow partial connections to time out sooner, preventing the socket listen queue from filling up with SYN packets.	Increase the TCP partial connection timeout rate (Section 2.2.2.4).	Setting the tcp_keepinit value too low can cause connections to be broken prematurely.
Prevent premature retransmissions and decrease congestion.	Reduce the TCP retransmission rate (Section 2.2.2.5).	A long retransmit time is not appropriate for all configurations.
Clean up sockets that do not exit cleanly when the keepalive interval expires.	Enable TCP keepalive functionality (Section 2.2.2.6).	None.
Free connection resources sooner.	Make the TCP connection context time out more quickly at the end of the connection (Section 2.2.2.7).	Reducing the timeout limit increases the potential for data corruption; use caution if you make this adjustment.
Provide TCP and UDP applications with a specific range of ports.	Modify the range of outgoing connection ports (Section 2.2.2.8).	None.
Improve the efficiency of servers that handle remote traffic from many clients.	Disable the use of a PMTU (Section 2.2.2.9).	May reduce server efficiency for LAN traffic.
Allow large socket buffer sizes.	Increase the maximum size of a socket buffer (Section 2.2.1.3).	Consumes memory resources.

The following sections describe in detail how to modify socket subsystem attributes and internet subsystem attributes.

2.2.1 Modifying Socket Subsystem Attributes

Table 2-2 socket Subsystem Attributes

Attribute	Description
somaxconn	Controls the maximum number of pending TCP connections.
sominconn	Controls the minimum number of pending TCP connections.
sb_max	Controls the maximum size of a socket buffer.

In addition, the socket subsystem attributes sobacklog_hiwat , sobacklog_drops , and somaxconn_drops track events related to socket listen queues. By monitoring these attributes, you can determine whether the queues are overflowing.

2.2.1.1 Increasing the Maximum Number of Pending TCP Connections

The socket subsystem attribute somaxconn specifies the maximum number of pending TCP connections (the socket listen queue limit) for each server socket (for example, for the HTTP server socket). Busy servers often experience large numbers of pending connections. If the listen queue connection limit is too small, incoming connection requests may be dropped. Pending TCP connections can be caused by lost packets in the internet or denial of service attacks.

The default value for somaxconn is 1024.

Compaq recommends increasing the somaxconn attribute to the maximum value, except on low-memory systems. The maximum value is 65535. Specifying a value that is higher than the maximum value can cause unpredictable behavior.

2.2.1.2 Increasing the Minimum Number of Pending TCP Connections

The socket subsystem attribute sominconn specifies the minimum number of pending TCP connections (backlog) for each server socket. This attribute controls how many SYN packets can be handled simultaneously before additional requests are discarded. Network performance can degrade if a client saturates a socket listen queue with erroneous TCP SYN packets, effectively blocking other users from the queue.

The value of the sominconn attribute overrides the application-specific backlog value, which may be set too low for some server software. If you do not have your application source code, you can use the sominconn attribute to set a sufficient pending-connection quota.

The default value is 0.

Compaq recommends increasing the value of the sominconn attribute to the maximum value of 65535. The value of the sominconn attribute should be the same as the value of the somaxconn attribute (see Section 2.2.1.1).

2.2.1.3 Increasing the Maximum Size of a Socket Buffer

The socket subsystem attribute sb_max specifies the maximum size of a socket buffer.

Performance Benefits and Tradeoffs

Increasing the maximum size of a socket buffer may improve performance if your applications can benefit from a large buffer size.

You can modify the sb_max attribute without rebooting the system.

When to Tune

If you require a large socket buffer, increase the maximum socket buffer size.

Recommended Values

The default value of the sb_max attribute is 128 KB. Increase this value before you increase the size of the transmit and receive socket buffers (see Section 10.2.16).

2.2.2 Modifying Internet Subsystem Attributes

You may be able to improve inet subsystem performance by modifying the attributes described in Table 2-3.

Table 2-3 inet Subsystem Attributes

Attribute	Description
tcbhashsize	Controls the size of a TCP hash table.
tcbhashnum	Specifies the number of TCP hash tables.
inifaddr_hsize	Controls the size of the kernel interface alias table.
tcp_keepinit	Specifies the TCP partial connection timeout rate.
tcp_rexmit_interval_min	Specifies the rate of TCP retransmissions.
tcp_keepalive_default	Enables or disables the TCP keepalive function.
tcp_msl	Specifies the TCP connection context timeout rate.
ipport_userreserved	Specifies the maximum value for the range of outgoing connection ports.
ipport_userreserved_min	Specifies the minimum value for the range of outgoing connection ports.
pmtu_enabled	Enables or disables use of the PMTU protocol.
ipqs	Specifies the number of IP input queues.
ipqmaxlen	Prevents dropped input packets.