Hello list,

I have an ldap server acting as proxy, through back-ldap, to another ldap server which holds the data.

These servers are in distinct networks and connections are all routed through a firewall.

Both proxy and backend servers are running openldap version 2.4.17 (from debian testing/sid).

Everything is working fine except that from time to time the proxy server has trouble responding requests. These anomalies happen not very often and for very short periods of time, usually from a couple of seconds to ten seconds. Although things keep working, it's rather annoying for the end user to have its interaction with a system delayed or denied, even if for such short periods.

Both system loads, from the proxy and the backend server, appear to be fine and i have no reason to believe that it's a matter of system resources shortness.

I can observe though a rather large number of connections (usually from 1k to 2k), from the proxy server to the backend server, in CLOSE_WAIT state. Both servers have set an idletimeout value of 30 seconds and i was to expect that the unused connections would seize to exist after that period of time.

Basically i want to know if this number of connections is normal, taking in consideration that most queries and performed anonymously and i'm quite positive that there aren't more than a couple hundred of authenticated binds simultaneously.

What steps can i take to reduce this behavior?

Thank you all in advance,

Hugo Monteiro.