TCP SYN Drops Due to Listen Backlog Limitation in SafeLine
Published 4 months ago
Published 4 months ago
Fury
Updated 4 months ago
0
Hi,
We would like to share feedback based on our production usage of SafeLine.
Our environment uses SafeLine master–slave HA synchronization with two Pro licenses, and the HA functionality itself works correctly. However, we are experiencing TCP connection drops at the kernel level during traffic bursts.
System logs show:
listen queue of a socket overflowed
SYNs to LISTEN sockets dropped
We confirmed that port 443 is listening with a backlog limited to 511, and drops occur even when CPU and memory usage are still low. This indicates connections are being rejected before requests reach SafeLine’s WAF, bot protection, or upstream routing.
Since SafeLine’s custom NGINX configuration does not support modifying the listen directive, the backlog cannot be increased at the application level. Kernel tuning (net.core.somaxconn, tcp_max_syn_backlog) helps only partially OS level, as the effective backlog remains capped.
As a result, HA alone is not sufficient to absorb burst traffic, because the bottleneck occurs at the TCP accept stage on the public listener.
We would appreciate guidance on:
Whether there is any supported way to increase the listen backlog in SafeLine, or
Whether the recommended architecture is to place a native NGINX or other ingress layer in front of SafeLine to handle connection bursts.
Thank you for your support and consideration.
<#1243120292822253598>
Carrie
Updated 4 months ago
0
Our technical team took another close look at this today. They mentioned that if you are using the latest version of SafeLine, you can try adding a * under the Domain configuration as a workaround for now.
Currently, backlog and reuseport are only configured when the server is set as the default server, and these settings are defined in the server block of the file located at:
/data/safeline/resources/nginx/sites-enabled/IF_backend_x
But this approach still has its limitations. They'll continue to discuss this issue in more depth with our R&D team.
Fury
Updated 3 months ago
0
Any update about this please we really need to setup backlog via GUI
Carrie
Updated 3 months ago
0
Sorry, not yet. We just finished our two-week Chinese New Year holiday, and the earliest product discussion meeting will be around early March. We’ll reply here once there’s an update.
Fury
Updated 3 months ago
0
ok thank you