Why does 'Socket is not connected' only appear after a failover and not during normal operations?

During normal operations, your TCP sockets to the primary are alive and the OS confirms connectivity. After failover, the old primary's TCP endpoint disappears, but the client OS kernel doesn't immediately mark those sockets as dead — it relies on keepalive probes or an actual send attempt to discover the failure. Connection pools that don't validate connections before use will hand these zombie sockets to your application, which only discovers they're dead when it tries to write data.

Does enabling pool_pre_ping add significant latency overhead?

Yes, but it's bounded. Pre-ping adds one SELECT 1 round-trip per connection checkout from the pool. On a local network this is sub-millisecond; on a cross-AZ RDS setup it's typically 1–3ms. For high-throughput OLTP, the better approach is combining short pool_recycle TTLs (300s) with TCP keepalives, which catches stale connections passively without a per-checkout round-trip. Reserve pre-ping for lower-traffic services or as a belt-and-suspenders addition.

PgBouncer is in front of PostgreSQL — does this error still occur?

Yes, if PgBouncer is in session pooling mode. In session mode, PgBouncer holds a server connection open for the lifetime of a client session, so stale server-side sockets survive failover just like a direct pool. Switch to transaction pooling mode — PgBouncer re-acquires a server connection per transaction, making it naturally resilient to failover events. Also set server_idle_timeout=30 and tcp_keepalive=1 in pgbouncer.ini regardless of pool mode.

Fixing PostgreSQL 'Socket is not connected' After Failover: Root Cause and Connection Pool Recovery

Threat/Impact Level: HIGH | Downtime Risk: HIGH | Time to Fix: 15–45 mins depending on stack

TL;DR

What broke: Your connection pool cached TCP sockets to the old primary. After failover, those sockets are dead — the OS hasn't torn them down yet, so the pool hands them to your app, which immediately fails on write.
How to fix it: Enable pool_pre_ping, set TCP keepalives at the driver level, and configure your pool's connection_recycle interval to be shorter than your HA failover window.
Shortcut: Use our Client-Side Sandbox below to auto-refactor this — paste your SQLAlchemy URI, PgBouncer config, or pg Node.js options and get a patched config instantly.

The Incident (What Does the Error Mean?)

OperationalError: could not send data to server: Socket is not connected
SSL connection has been closed unexpectedly
server closed the connection unexpectedly

This fires immediately after a PostgreSQL primary failover (Patroni, RDS Multi-AZ, Aurora, etc.). The sequence:

Primary goes down. Replica is promoted. DNS/VIP flips — typically within 30–60 seconds.
Your connection pool has N open sockets that were established to the old primary IP.
The OS TCP stack on the client side doesn't know the server is gone yet — TIME_WAIT and kernel keepalive defaults are 2+ hours.
Pool returns one of these zombie sockets to your application thread.
App attempts a send() syscall. Kernel returns ENOTCONN. PostgreSQL client library surfaces it as the above error.

Immediate consequence: Every request hitting a stale connection fails hard. Depending on your retry logic, this cascades into 500s, queue backlogs, or full application unavailability for the duration it takes the pool to drain and re-establish connections to the new primary.

The Attack Vector / Blast Radius

This is a silent availability hole in your HA architecture. You spent engineering cycles setting up Patroni or RDS Multi-AZ for sub-60-second failover. But if your application layer doesn't handle stale sockets, your actual application recovery time is your pool's idle connection TTL — which defaults to unlimited in most frameworks.

Cascading failure path:

Thread pool exhaustion: threads block waiting for DB responses that never come, filling your thread pool.
Retry storms: if you have naive retry logic without backoff, failed queries hammer the new primary during its promotion window.
Data integrity risk: if your ORM doesn't distinguish between a network error and a transaction error, you may retry non-idempotent writes.
Monitoring blind spot: APM tools often report this as an application error, not a DB failover event — on-call engineers waste 20 minutes looking in the wrong place.

Affected stacks: SQLAlchemy, psycopg2, asyncpg, node-postgres (pg), JDBC, PgBouncer in session mode, HikariCP.

How to Fix It

Basic Fix — Enable Pre-Ping / Connection Validation

Most pools support a "test on borrow" or pre-ping mechanism. This adds one SELECT 1 round-trip before handing a connection to your app. It's not zero-cost, but it's the fastest path to correctness.

SQLAlchemy (Python):

 engine = create_engine(
     DATABASE_URL,
-    pool_pre_ping=False,
+    pool_pre_ping=True,
+    pool_recycle=300,          # recycle connections older than 5 min
+    pool_timeout=10,
+    connect_args={
+        "keepalives": 1,
+        "keepalives_idle": 10,
+        "keepalives_interval": 5,
+        "keepalives_count": 3,
+    }
 )

node-postgres (pg / pg-pool):

 const pool = new Pool({
   connectionString: process.env.DATABASE_URL,
+  idleTimeoutMillis: 10000,
+  connectionTimeoutMillis: 5000,
+  allowExitOnIdle: true,
 });
+
+// Attach error handler — without this, stale socket errors crash the process
+pool.on('error', (err, client) => {
+  console.error('Idle client error, removing from pool', err.message);
+});

asyncpg (Python async):

 pool = await asyncpg.create_pool(
     dsn=DATABASE_URL,
+    min_size=2,
+    max_size=10,
+    max_inactive_connection_lifetime=30.0,  # seconds — critical post-failover
+    command_timeout=10,
 )

Enterprise Best Practice — TCP Keepalives + Pool Health Checks + Retry Policy

Pre-ping alone is insufficient for high-throughput systems (it serializes connection checkout). The correct enterprise posture is:

TCP keepalives at the kernel level — detect dead connections without an application-layer round-trip.
Short pool recycle TTL — force connection renewal before your HA failover window.
Exponential backoff retry scoped only to transient network errors, not SQL errors.
PgBouncer in transaction mode (not session mode) — transaction mode re-establishes server connections per transaction, making it naturally resilient to failover.

PgBouncer pgbouncer.ini:

 [pgbouncer]
 pool_mode = session
+pool_mode = transaction
+
 server_idle_timeout = 600
+server_idle_timeout = 30
+server_lifetime = 300
+server_connect_timeout = 5
+tcp_keepalive = 1
+tcp_keepidle = 10
+tcp_keepintvl = 5
+tcp_keepcnt = 3
+query_wait_timeout = 10

JDBC / HikariCP (Java):

 HikariConfig config = new HikariConfig();
 config.setJdbcUrl(DB_URL);
+config.setConnectionTestQuery("SELECT 1");
+config.setKeepaliveTime(30000);          // 30s keepalive probe
+config.setMaxLifetime(180000);           // 3 min max connection lifetime
+config.setConnectionTimeout(10000);
+config.setIdleTimeout(20000);
+config.addDataSourceProperty("tcpKeepAlive", "true");
+config.addDataSourceProperty("socketTimeout", "15");

PostgreSQL postgresql.conf (server-side keepalive — defense in depth):

+tcp_keepalives_idle = 10
+tcp_keepalives_interval = 5
+tcp_keepalives_count = 3

💡 Tired of pasting proprietary configs into ChatGPT? Generic AI tools log your company's ARNs, DB strings, and private keys. StackEngine is a zero-backend, pure Client-Side WASM utility. Drop your failing config into the sandbox above. We redact your secrets locally in the browser and auto-generate the refactored code using your own API key.

Prevention in CI/CD

1. Checkov / Terraform static analysis — flag connection pools deployed without pool_pre_ping or equivalent:

# .checkov/custom_checks/db_pool_pre_ping.py
# Check that SQLAlchemy engine configs include pool_pre_ping=True
# Integrate into: checkov -d . --external-checks-dir .checkov/custom_checks

2. Chaos engineering in staging — use tc netem or Toxiproxy to simulate primary failover:

# Simulate failover: drop all connections to DB port for 45 seconds
toxiproxy-cli toxic add postgres_proxy \
  --type timeout \
  --attribute timeout=45000 \
  -n failover_sim

# Run your integration test suite during this window
# Any test that fails with 'Socket is not connected' without retry = gap in your pool config

3. OPA policy in Kubernetes — reject Deployments that reference a DB without a liveness probe that validates pool health:

package kubernetes.admission

deny[msg] {
  input.request.kind.kind == "Deployment"
  container := input.request.object.spec.template.spec.containers[_]
  not container.livenessProbe
  msg := sprintf("Container '%v' missing livenessProbe — required for DB failover detection", [container.name])
}

4. Alerting — set a PagerDuty/Alertmanager rule on pg_stat_activity connection churn rate. A spike in new connections immediately after a failover event is your leading indicator that the pool is recovering from stale sockets — not a lagging one.