JDBC connection pool and firewall

Connection closed

When a jdbc connection is going through a firewall you might experience connection closed issues. What happens is that the firewall detects idle TCP connections and kills them. This is good stuff, both for security reasons and to free unused resources.
But the application is not always aware of the pretty brutal TCP connection killing done by the firewall. And would end up trying to use a connection already killed by the firewall. This could give all kinds of unexpected results, but bottom line is that you don’t get through to your database.
It would be much better if the application shut down idle and unused connections before the firewall detects it and kills it. If you have written your own jdbc connection handling there are ways to set the jdbc connection timeout.
Firewalls typically has a session timeout of 30 min, before killing idle TCP connections, but it could easily be as low as 10 min. Ask you network administrator, or do a test.

Application server

Another thing is that even if the application server connection pool is configured to remove idle connections after a certain period of time which is below the firewall session timeout, we still experienced connection issues.
The reason was that the minimum size of connection pool was configured to be larger than 0, as suggested by some best practices tutorials.
Note that IDLE_TIMEOUT will not remove conn if it result in connpool smaller than minimum.
I repeat: database connection pool idle timeout value will not remove connections from pool if this result in a pool smaller than minimum.
And what do you think will happen when the application server decide to maintain a minimum size of connections in the pool? Well, the firewall comes along and kills them. The firewall will not respect your minimum number of connections configuration!

Summary

Connections should timeout if idle for a certain period of time, to reduce unnecessary overheads, and to avoid open connections left open across a firewall. The brutal killing of idle TCP connections performed by the firewall can cause all kinds of problems to the application itself.
Keeping a minimum size will again allow the firewall to detect them as idle TCP connections.
As well as timing out, make sure you allow your pool to shrink to size of 0.

Comment are closed.