/
TCP Keepalive

TCP Keepalive

AWS NAT drops a TCP connection if the connection is idle for 350 seconds: https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html#nat-gateway-troubleshooting-timeout

Linux systems usually have these TCP keepalive defaults:

net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9

Therefore the linux kernel starts sending keepalive probes after 7200 seconds = 2 hours. This is too late for AWS NAT.

You need to set a lower net.ipv4.tcp_keepalive_time value when using AWS NAT.

Example for a docker-compose file entry:

services: myservice: sysctls: - net.ipv4.tcp_keepalive_time=274

curl

The command line tool curl has built-in TCP keepalive support that by default starts sending keepalive probes after 60 seconds, for details see https://curl.se/docs/manpage.html#--keepalive-time

Related content