To avoid idle connections over an extended period of time, NetScaler used the zombie cleanup feature. Instead of immediately terminating the connections, this feature puts the idle connections into a collection pool. When consequent client requests are made, these requests are served with the idle connections that were in the re-use pool; therefore, TCP handshakes and terminations need not be done frequently with the backend servers, which in turn leads to minimizing CPU and resources on the NetScaler. The connection multiplexing happens only on the HTTP VIP and not just on any TCP VIP. Even though connection multiplexing is done at the TCP level, it is not supported for all types of traffic running over TCP. HTTP and SSL are the only two types that support connection multiplexing.
Connection multiplexing works as shown in the following screenshot:
NetScaler has a pool of active connections to the server called the re-use pool; the number of connections in the re-use pool can be seen by using the following nsconmsg command:
shell# nsconmsg -s ConLb=2 -d oldconmsg
The output will have values such as OE(xx), SQ(x), and RP(x), where OE is Open Established connections, SQ is Surge Queue, and RP is Re-use Pool.
A common query that crops up is whether re-use is supported with USIP enabled. Yes, it is supported (only for HTTP) as NetScaler still acts as a proxy, and using its own MAC address it only inserts the client's IP address. Hence, in conditions where the source IP is from a large proxy, we would still be able to re-use connections. However, care should be taken to see that the CPU does not spike.
The most common problems faced without zombie cleanup is a drop in traffic, and slow responses and requests (page timeouts). This also could lead to high CPU usage, since the idle and inactive connections that are not cleaned up would only lead to unwanted usage of the resources. DOS attacks can be saved for a different chapter altogether, but certain types of attacks can be prevented using the zombie cleanup feature of NetScaler.
The time interval to be set in the zombie process is as follows:
root@ns>set ns timeout -zombie 140 (By default zombie timeout is 120)
In the GUI interface, it is under System | Change timeout values. At each level of configuration (that is, at the vserver, service, and server level) a client timeout can be configured to notify the zombie process to kick in once the timeout has expired.
For example, at the vserver level this command sets the time up to which NetScaler leaves the connection in the re-use pool:
root@ns>set vserver PacktLB_vserver -cltTimeout 120
Once the connections are in the re-use pool, the zombie timer kicks in and cleans up the connections once the timer has expired. There is a knob to disable the zombie cleanup:
set service "PACKT_service" -maxreq 1
This setting disables connection multiplexing as well. There would be a one-to-one mapping between the client and server.
Therefore, this setting in NetScaler is enabled by default for an interval of 120 seconds; it can be customized to suit our requirement, though in most cases it is recommended to leave it at default.