The description for Event ID ( 18 ) in Source ( avgntflt ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description see Help and Support for details. AVGNTFLT.SYS Information This is a valid program that is required to run at startup. This program is required to run on startup in order to benefit from its functionality or so that the program. The description for Event ID ( 18 ) in Source ( avgntflt ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description see Help and Support for details.
Long running queries often causes client timeout in our applications. One good solution to attack this problem is to identify the timeouts and optimize the queries causing the timeouts. Client timeouts or connection interruptions are identified as Attention events. We can capture the attention events using an Extended Events session.
File Info | Description |
---|---|
File Size: | 170 kB |
File Modification Date/Time: | 2019:10:02 15:55:50+00:00 |
File Type: | Win32 EXE |
MIME Type: | application/octet-stream |
Machine Type: | Intel 386 or later, and compatibles |
Time Stamp: | 2019:09:09 11:30:59+00:00 |
PE Type: | PE32 |
Linker Version: | 14.21 |
Code Size: | 125952 |
Initialized Data Size: | 16896 |
Uninitialized Data Size: | 0 |
Entry Point: | 0x26260 |
OS Version: | 10.0 |
Image Version: | 10.0 |
Subsystem Version: | 6.2 |
Subsystem: | Native |
File Version Number: | 15.0.1909.169 |
Product Version Number: | 15.0.1909.169 |
File Flags Mask: | 0x003f |
File Flags: | (none) |
File OS: | Windows NT |
Object File Type: | Driver |
File Subtype: | 7 |
Language Code: | English (U.S.) |
Character Set: | Unicode |
Company Name: | Avira Operations GmbH & Co. KG |
File Description: | Avira Minifilter Driver |
File Version: | 15.0.1909.169 |
Internal Name: | avgntflt.sys |
Legal Copyright: | Copyright © 2019 Avira Operations GmbH & Co. KG and its Licensors |
Product Name: | Avira Product Family |
Product Version: | 15.0.1909.169 |
Comments: | Avira Minifilter Driver - |
Legal Trademarks: | AntiVir® is a registered trademark of Avira GmbH, Germany |
✻ Portions of file data provided by Exiftool (Phil Harvey) distributed under the Perl Artistic License.
One of the dangers of being from a pure cisco background is assumption. You treat all devices as if they have the same defaults as ‘normal’ Cisco devices. I think I’m pretty good at avoiding this, but it gets us all sometimes.
As we all know, when you run long lived TCP connections through application aware devices, you need to ensure the connection is used. The classic problem is Oracle SQLnet through firewalls, where oracle sets up pools of TCP connections for later use, so that when it gets a burst of traffic it has the connections set up and doesn’t need to waste precious milliseconds on TCP handshakes.
The problem comes, if they remain unused for longer than the TCP session timeout value of the firewall (typically 60 minutes), where the firewall silently drops the connections as being dead, but the client and server think they’re still up. Next time one side or the other decides to send a little traffic on one, you get a ‘broken socket’ error.
This is normal behaviour, and needs to be taken into consideration whenever you’re building systems/applications which connect through firewalls or load balancers.
Now, lets be clear. The answer to this issue is always setting a TCP keepalive. Send a packet every minute, and you will never have a problem. Ever. Really, do this. In fact, given you work with such a sensible bunch who will immediately implement this, there’s no need to read on.
Back to F5. Interesting fact of the day, is when you use the F5 LTM for load balancing TCP connections, the default timeout is only 5 minutes – i.e. a TCP connection which does not send a packet for 301 seconds gets dropped. That’s not that long, unlike the 60 minutes (3600 seconds) I have in my head from Cisco land. So the whole ‘using a TCP keepalive’ becomes even more important. Really, you are a crazy person if you don’t use a keepalive in this situation. There’s really no point reading on. You’re not a crazy person, nor is your co-worker who’s setting up the app right?
Still here? OK – there’s two ways to know you have this issue – you’ll see this as RST packets being sent back to the client from the F5 (which do not come from the ‘real’ server) when they send traffic on a timed out connection, and also you can see the current connection timers using the ‘b conn client‘ command :
[[email protected]:Active] ~ # b conn client | grep tcp
Avgntflt Time Outdoor
CONN client 10.1.4.90:1873 server 10.31.8.10:https any protocol tcp age 216 – client: 10.1.4.90:1873
CONN client 10.1.4.90:1876 server 10.31.8.10:https any protocol tcp age 217 – client: 10.1.4.90:1876
CONN client 10.1.4.90:1877 server 10.31.8.10:https any protocol tcp age 238 – client: 10.1.4.90:1877
CONN client 10.1.4.90:1876 server 10.31.8.10:https any protocol tcp age 217 – client: 10.1.4.90:1876
CONN client 10.1.4.90:1877 server 10.31.8.10:https any protocol tcp age 238 – client: 10.1.4.90:1877
You can see even more detail using ‘b conn client show all‘ :
[[email protected]:Active] ~ # b conn client 10.1.4.90 show all
VIRTUAL 10.31.8.10:https <-> NODE any6:any TYPE any
CLIENTSIDE 10.1.4.90:1927 <-> 10.31.8.10:https
(pkts,bits) in = (71, 16867) out = (122, 139083)
SERVERSIDE any6:any <-> any6:any
(pkts,bits) in = (0, 0) out = (0, 0)
PROTOCOL tcp UNIT 1 IDLE 83 (300) LASTHOP 8 00:19:a9:f7:c0:00
VIRTUAL 10.31.8.10:https <-> NODE any6:any TYPE any
CLIENTSIDE 10.1.4.90:1927 <-> 10.31.8.10:https
(pkts,bits) in = (71, 16867) out = (122, 139083)
SERVERSIDE any6:any <-> any6:any
(pkts,bits) in = (0, 0) out = (0, 0)
PROTOCOL tcp UNIT 1 IDLE 83 (300) LASTHOP 8 00:19:a9:f7:c0:00
So you can now see what the actual timeout value is for the this connection (83 seconds used from a 300 second timer in this case). This is particularly hand as it shows you if your ‘fix’ has actually taken.
If you do have a crazy person setting up your application, here’s how you can be a network hero and ‘fix the F5’. Write an iRule with the following content :
when SERVER_CONNECTED {
IP::idle_timeout 3600
}
IP::idle_timeout 3600
}
and apply to the virtual server. This simply ups the timeout to 1 hr (obviously you can adjust the time to suit your environment). You can actually be quite granular, and set different values for different protocols, check the always useful http://devcentral.f5.com site for more detail, or see this excellent post..
To see the change :
[[email protected]:Active] ~ # b conn client 10.1.4.90 show all
VIRTUAL 10.31.8.10:https <-> NODE any6:any TYPE any
(pkts,bits) in = (83, 18157) out = (165, 188758)
(pkts,bits) in = (0, 0) out = (0, 0)
PROTOCOL tcp UNIT 1 IDLE 4 (3600) LASTHOP 8 00:19:a9:f7:c0:00
Avgntflt Time Out Meaning
Last point on this, as with most iRules, simply applying it to the virtual server doesn’t immediately effect current connections. Because the rule starts with ‘when SERVER_CONNECTED’ – it’ll be invoked when a new TCP connection is set up, and the F5 makes the backend connection to the server. You could probably fiddle with this to find other ways to tune when it’s started.