Increasing the flow-eviction threshold
The threshold is a type of limit on the number of flows that are cached in the kernel. OVS will handle as many flows as can be processed through ovs-vswitchd.
If the number of newly created connections reaches this limit, in a 5 second window, OvS attempts to keep the memory consumption under the limit by evicting older flow entries.
It is possible to increase this flow-eviction threshold. This is the recommended first step to resolve issues related to the number and frequency of flow entries being created,
To set the flow-eviction-threshold enter the following:
ovs-vsctl set bridge <bridgename> other-config:flow-eviction-threshold=<new value>
To query whether the flow-eviction-threshold was set explicitly:
ovs-vsctl get bridge <bridgename> other-config:flow-eviction-threshold
Customers can use the active flow-eviction-threshold value to evaluate the current number of active flows by using the following command:
watch -n 1 ovs-dpctl show
This command prints out the bridge statistics every second, until the process is ended.
The flows counter displays the actual number of current flow entries. If the number of flows approaches the flow-eviction-threshold, OvS has to deal with a lot of flow creations and deletions. In this case increasing the flow-eviction-threshold should help address the issue.
Increase idleTimeout & hardTimeout
The idleTimeout is basically a value that determines how long a flow
in a switch will last if it doesn't match any traffic. So if I have
a flow in a switch with an idleTimeout of 5 seconds that matches all
ICMP traffic on a given switch port, then as long as ICMP traffic is
entering that switch port, that flow will continue to exist. If no
ICMP traffic goes through the switch port for 5 seconds, the flow will
timeout, and it will be removed from the switch.
The hardTimeout, on the other hand, is a hard limit on how long a
given flow can exist in the switch. If I have a flow in a switch with
a hardTimeout of 5 seconds that matches all ICMP traffic on a given
switch port, then even if ICMP traffic is continuously entering the
switch port, that flow will time out after 5 seconds and it will be
removed from the switch.
"If both idle_timeout and hard_timeout are zero, the entry is
considered permanent and will never time out"
The idle age is simply how long the flow has not matched any packets. If the idle age is reported at 12, then that means the flow has not matched any packets in 12 seconds. This will be reset automatically back to zero by the switch as soon as the flow matches a packet. The idle age is what triggers an idle timeout if there is an idle timeout set.