8.4. Timing events

  1. Timers provide a great help in troubleshooting network problems. All values are
  2. reported in milliseconds (ms). These timers should be used in conjunction with
  3. the session termination flags. In TCP mode with "option tcplog" set on the
  4. frontend, 3 control points are reported under the form "Tw/Tc/Tt", and in HTTP
  5. mode, 5 control points are reported under the form "TR/Tw/Tc/Tr/Ta". In
  6. addition, three other measures are provided, "Th", "Ti", and "Tq".
  7.  
  8. Timings events in HTTP mode:
  9.  
  10.                  first request               2nd request
  11.       |<-------------------------------->|<-------------- ...
  12.       t         tr                       t    tr ...
  13.    ---|----|----|----|----|----|----|----|----|--
  14.       : Th   Ti   TR   Tw   Tc   Tr   Td : Ti   ...
  15.       :<---- Tq ---->:                   :
  16.       :<-------------- Tt -------------->:
  17.                 :<--------- Ta --------->:
  18.  
  19. Timings events in TCP mode:
  20.  
  21.            TCP session
  22.       |<----------------->|
  23.       t                   t
  24.    ---|----|----|----|----|---
  25.       | Th   Tw   Tc   Td |
  26.       |<------ Tt ------->|
  27.  
  28.   - Th: total time to accept tcp connection and execute handshakes for low level
  29.     protocols. Currently, these protocols are proxy-protocol and SSL. This may
  30.     only happen once during the whole connection's lifetime. A large time here
  31.     may indicate that the client only pre-established the connection without
  32.     speaking, that it is experiencing network issues preventing it from
  33.     completing a handshake in a reasonable time (e.g. MTU issues), or that an
  34.     SSL handshake was very expensive to compute. Please note that this time is
  35.     reported only before the first request, so it is safe to average it over
  36.     all request to calculate the amortized value. The second and subsequent
  37.     request will always report zero here.
  38.  
  39.   - Ti: is the idle time before the HTTP request (HTTP mode only). This timer
  40.     counts between the end of the handshakes and the first byte of the HTTP
  41.     request. When dealing with a second request in keep-alive mode, it starts
  42.     to count after the end of the transmission the previous response. When a
  43.     multiplexed protocol such as HTTP/2 is used, it starts to count immediately
  44.     after the previous request. Some browsers pre-establish connections to a
  45.     server in order to reduce the latency of a future request, and keep them
  46.     pending until they need it. This delay will be reported as the idle time. A
  47.     value of -1 indicates that nothing was received on the connection.
  48.  
  49.   - TR: total time to get the client request (HTTP mode only). It's the time
  50.     elapsed between the first bytes received and the moment the proxy received
  51.     the empty line marking the end of the HTTP headers. The value "-1"
  52.     indicates that the end of headers has never been seen. This happens when
  53.     the client closes prematurely or times out. This time is usually very short
  54.     since most requests fit in a single packet. A large time may indicate a
  55.     request typed by hand during a test.
  56.  
  57.   - Tq: total time to get the client request from the accept date or since the
  58.     emission of the last byte of the previous response (HTTP mode only). It's
  59.     exactly equal to Th + Ti + TR unless any of them is -1, in which case it
  60.     returns -1 as well. This timer used to be very useful before the arrival of
  61.     HTTP keep-alive and browsers' pre-connect feature. It's recommended to drop
  62.     it in favor of TR nowadays, as the idle time adds a lot of noise to the
  63.     reports.
  64.  
  65.   - Tw: total time spent in the queues waiting for a connection slot. It
  66.     accounts for backend queue as well as the server queues, and depends on the
  67.     queue size, and the time needed for the server to complete previous
  68.     requests. The value "-1" means that the request was killed before reaching
  69.     the queue, which is generally what happens with invalid or denied requests.
  70.  
  71.   - Tc: total time to establish the TCP connection to the server. It's the time
  72.     elapsed between the moment the proxy sent the connection request, and the
  73.     moment it was acknowledged by the server, or between the TCP SYN packet and
  74.     the matching SYN/ACK packet in return. The value "-1" means that the
  75.     connection never established.
  76.  
  77.   - Tr: server response time (HTTP mode only). It's the time elapsed between
  78.     the moment the TCP connection was established to the server and the moment
  79.     the server sent its complete response headers. It purely shows its request
  80.     processing time, without the network overhead due to the data transmission.
  81.     It is worth noting that when the client has data to send to the server, for
  82.     instance during a POST request, the time already runs, and this can distort
  83.     apparent response time. For this reason, it's generally wise not to trust
  84.     too much this field for POST requests initiated from clients behind an
  85.     untrusted network. A value of "-1" here means that the last the response
  86.     header (empty line) was never seen, most likely because the server timeout
  87.     stroke before the server managed to process the request.
  88.  
  89.   - Ta: total active time for the HTTP request, between the moment the proxy
  90.     received the first byte of the request header and the emission of the last
  91.     byte of the response body. The exception is when the "logasap" option is
  92.     specified. In this case, it only equals (TR+Tw+Tc+Tr), and is prefixed with
  93.     a '+' sign. From this field, we can deduce "Td", the data transmission time,
  94.     by subtracting other timers when valid :
  95.  
  96.         Td = Ta - (TR + Tw + Tc + Tr)
  97.  
  98.     Timers with "-1" values have to be excluded from this equation. Note that
  99.     "Ta" can never be negative.
  100.  
  101.   - Tt: total session duration time, between the moment the proxy accepted it
  102.     and the moment both ends were closed. The exception is when the "logasap"
  103.     option is specified. In this case, it only equals (Th+Ti+TR+Tw+Tc+Tr), and
  104.     is prefixed with a '+' sign. From this field, we can deduce "Td", the data
  105.     transmission time, by subtracting other timers when valid :
  106.  
  107.         Td = Tt - (Th + Ti + TR + Tw + Tc + Tr)
  108.  
  109.     Timers with "-1" values have to be excluded from this equation. In TCP
  110.     mode, "Ti", "Tq" and "Tr" have to be excluded too. Note that "Tt" can never
  111.     be negative and that for HTTP, Tt is simply equal to (Th+Ti+Ta).
  112.  
  113. These timers provide precious indications on trouble causes. Since the TCP
  114. protocol defines retransmit delays of 3, 6, 12... seconds, we know for sure
  115. that timers close to multiples of 3s are nearly always related to lost packets
  116. due to network problems (wires, negotiation, congestion). Moreover, if "Ta" or
  117. "Tt" is close to a timeout value specified in the configuration, it often means
  118. that a session has been aborted on timeout.
  119.  
  120. Most common cases :
  121.  
  122.   - If "Th" or "Ti" are close to 3000, a packet has probably been lost between
  123.     the client and the proxy. This is very rare on local networks but might
  124.     happen when clients are on far remote networks and send large requests. It
  125.     may happen that values larger than usual appear here without any network
  126.     cause. Sometimes, during an attack or just after a resource starvation has
  127.     ended, haproxy may accept thousands of connections in a few milliseconds.
  128.     The time spent accepting these connections will inevitably slightly delay
  129.     processing of other connections, and it can happen that request times in the
  130.     order of a few tens of milliseconds are measured after a few thousands of
  131.     new connections have been accepted at once. Using one of the keep-alive
  132.     modes may display larger idle times since "Ti" measures the time spent
  133.     waiting for additional requests.
  134.  
  135.   - If "Tc" is close to 3000, a packet has probably been lost between the
  136.     server and the proxy during the server connection phase. This value should
  137.     always be very low, such as 1 ms on local networks and less than a few tens
  138.     of ms on remote networks.
  139.  
  140.   - If "Tr" is nearly always lower than 3000 except some rare values which seem
  141.     to be the average majored by 3000, there are probably some packets lost
  142.     between the proxy and the server.
  143.  
  144.   - If "Ta" is large even for small byte counts, it generally is because
  145.     neither the client nor the server decides to close the connection while
  146.     haproxy is running in tunnel mode and both have agreed on a keep-alive
  147.     connection mode. In order to solve this issue, it will be needed to specify
  148.     one of the HTTP options to manipulate keep-alive or close options on either
  149.     the frontend or the backend. Having the smallest possible 'Ta' or 'Tt' is
  150.     important when connection regulation is used with the "maxconn" option on
  151.     the servers, since no new connection will be sent to the server until
  152.     another one is released.
  153.  
  154. Other noticeable HTTP log cases ('xx' means any value to be ignored) :
  155.  
  156.   TR/Tw/Tc/Tr/+Ta  The "option logasap" is present on the frontend and the log
  157.                    was emitted before the data phase. All the timers are valid
  158.                    except "Ta" which is shorter than reality.
  159.  
  160.   -1/xx/xx/xx/Ta   The client was not able to send a complete request in time
  161.                    or it aborted too early. Check the session termination flags
  162.                    then "timeout http-request" and "timeout client" settings.
  163.  
  164.   TR/-1/xx/xx/Ta   It was not possible to process the request, maybe because
  165.                    servers were out of order, because the request was invalid
  166.                    or forbidden by ACL rules. Check the session termination
  167.                    flags.
  168.  
  169.   TR/Tw/-1/xx/Ta   The connection could not establish on the server. Either it
  170.                    actively refused it or it timed out after Ta-(TR+Tw) ms.
  171.                    Check the session termination flags, then check the
  172.                    "timeout connect" setting. Note that the tarpit action might
  173.                    return similar-looking patterns, with "Tw" equal to the time
  174.                    the client connection was maintained open.
  175.  
  176.   TR/Tw/Tc/-1/Ta   The server has accepted the connection but did not return
  177.                    a complete response in time, or it closed its connection
  178.                    unexpectedly after Ta-(TR+Tw+Tc) ms. Check the session
  179.                    termination flags, then check the "timeout server" setting.