CLOSE_WAIT not closing in Bind 9.2.0

[D.M.]

hmprimerib at hotmail.com (D.M.) wrote in message news:<a2hrqo$odt at pub3.rc.vix.com>...
> We have multiple lingering CLOSE_WAIT's on our bind 9.2.0 server which
> means the client sent a FIN, but the server hasn't closed its socket
> yet.  This leads me to believe this is possibly a problem with the
> server.  Anyone know how to control these?  make sure they die after a
> set time?

We finally resolved this issue.  A little about our implementation to
help describe the problem.  Our name servers sit in pairs behind a
load balancer.  The interfaces (lots of virtual IFs) between the
servers and the load balancer are mostly private nets and are NATed
via the balancer.  Bind confs had those private nets in the blackhole
acl which you wouldn't think is a problem since the source IPs
shouldn't be in those ranges but it appears that something is breaking
over those NAT-ed addresses.  I'm thinking the clients are sending
their FINs and closing before the server can send the close acks and
it just hangs.  Anyway, we removed those nets from the blackhole acl
and put them on the load balancers ACLs for inbound traffic.  Since
then, no more persistent CLOSE_WAIT sessions.

Our duplication of the hung CLOSE_WAIT state on the sockets was done
by telnet-ing to port 53 on the server, from a blackhole ACL-ed net,
then escaping out and quitting.  Not sure if this is how the blackhole
was intended to behave, but it does.

I'm just glad it's fixed.

# D