Configurable LLM request timeout per provider/model (Ollama cold-start causes silent fallback)

[Meli73]

Summary

When using local Ollama models, the first request after model load triggers a cold-start that takes ~13-46 seconds (depending on model size). The default LLM request timeout in OpenClaw appears too short for this scenario, causing a timeout-based fallback (status 408) to the next model in the fallback chain — typically a cloud model.

This is a secondary issue to the auth-based silent fallback (see #43945), but creates the same problematic outcome: user data intended for local processing is silently routed to cloud providers.

Problem

Ollama models need significant time to load into memory on first request:

• 27B model: ~13 seconds cold-start
• 122B model: ~46 seconds cold-start
• Larger models with CPU offloading: potentially 60+ seconds

During cold-start, Ollama doesn't respond until the model is fully loaded. OpenClaw's LLM request timeout fires before Ollama can respond, resulting in a timeout error that triggers the fallback chain.

Even after fixing the auth issue (#43945), this timeout problem independently causes the same silent fallback behavior.

Steps to Reproduce

1. Configure an Ollama provider with a large model (e.g. qwen3.5:122b)
2. Ensure the model is NOT pre-loaded (cold state — ollama ps shows no running models)
3. Send a request through OpenClaw targeting that model
4. Observed: Request times out (model load + inference exceeds default timeout), falls back to cloud model
5. Expected: Request waits for model load + inference, or timeout is configurable per provider

Log Evidence

[WARN] model_fallback_decision: candidate_failed
  requestedProvider: ollama-remote
  requestedModel: qwen3.5:122b
  reason: timeout, status: 408
  nextCandidate: openai/gpt-4.1-mini

Privacy Impact

Same as the auth issue: if a user chose a local model for data sovereignty, a timeout-triggered fallback silently sends their data to a cloud provider. Combined with the lack of user-visible fallback notifications, this is a privacy concern.

Proposed Fixes

Fix 1: Configurable requestTimeout per provider (minimal)

Add a requestTimeout (or timeoutMs) field to the provider configuration:

{
  "models": {
    "providers": {
      "ollama-remote": {
        "baseUrl": "http://192.168.178.122:11434",
        "api": "ollama",
        "requestTimeout": 120000,
        "models": [...]
      }
    }
  }
}

This allows users to set longer timeouts for local providers with slow cold-starts while keeping tight timeouts for cloud APIs.

Fix 2: Configurable timeout per model (granular)

Allow timeout overrides at the model level for cases where different models on the same provider have vastly different load times:

{
  "models": {
    "providers": {
      "ollama-remote": {
        "api": "ollama",
        "requestTimeout": 60000,
        "models": [
          { "id": "qwen3.5:27b", "requestTimeout": 30000 },
          { "id": "qwen3.5:122b", "requestTimeout": 180000 }
        ]
      }
    }
  }
}

Fix 3: Auto-detect Ollama cold-start and extend timeout (smart)

When api: "ollama" is configured, OpenClaw could probe the Ollama /api/ps endpoint to check if the model is loaded. If not, automatically extend the timeout to accommodate the cold-start. This provides a zero-config experience for Ollama users.

Fix 4: Respect allowCloudFallback: false on timeout too

If the fail-closed policy flag from #43945 is implemented, it should also apply to timeout-triggered fallbacks — not just auth failures. A timeout on a local model should result in an error, not a silent cloud redirect.

Workaround

Pre-load models before use via the Ollama API:

curl http://192.168.178.122:11434/api/generate \
  -d '{"model":"qwen3.5:122b","prompt":"hi","stream":false,"keep_alive":"60m","options":{"num_predict":1}}'

This forces the model into memory with a 60-minute keep-alive, avoiding cold-start timeouts on subsequent requests. However, this requires manual intervention or scripting before each session.

Related

• Subagents miss Ollama credentials and silently fall back to cloud models (privacy regression) #43945 — Subagents miss Ollama credentials and silently fall back to cloud models (privacy regression)
• Both issues independently cause the same outcome: silent data leakage from local to cloud

Environment

• OpenClaw 2026.3.11
• Ollama 0.17.7 (remote, Windows + local, Linux)
• Models tested: qwen3.5:27b (13s cold-start), qwen3.5:122b (46s cold-start)

[tyeth]

Similar with LMStudio, need a timeout per model option.

[derekhsu]

👋 Same issue here using Ollama (localhost:11434) and LM Studio (localhost:1234) as local providers. Local models take significantly longer to respond than cloud APIs (especially on first inference after model load), and the current timeout is not configurable per provider.

Currently the only workaround is to increase keep-alive on the Ollama side, but this does not solve the problem for the initial request.

Proposed solution: Add a requestTimeoutSeconds field to models.providers.<id>, ideally also overridable at the model entry level (models.providers.<id>.models.*). A reasonable default for local models would be 120–180 seconds vs. the current implicit default.

Use case: data privacy — users explicitly choose local models to avoid sending data to the cloud, but a timeout-triggered fallback silently defeats that purpose.

Adding this configuration would solve:

• Cold-start delay on first Ollama request (13–46s+)
• LM Studio inference latency for larger models
• Privacy concern: fallback to cloud on timeout is invisible to the user

Would be happy to help test if a PR is opened.

[clawsweeper]

Closing this as implemented after Codex automated review.

Current main implements a configurable, provider-agnostic LLM idle timeout that covers the reported Ollama/LM Studio cold-start path, documents it for slow local models, tests the timeout/error behavior, and propagates configured attempt timeouts into Undici dispatchers so local streams are not capped by the default transport timeout.

What I checked:

• Config schema: Strict agent defaults schema accepts agents.defaults.llm.idleTimeoutSeconds as a nonnegative integer, describes it as the LLM streaming idle timeout, and documents 0 as disabling the timeout. (src/config/zod-schema.agent-defaults.ts:158, 1531123d3547)
• Timeout resolution: Runtime resolution honors explicit agents.defaults.llm.idleTimeoutSeconds, supports 0 as disabled, falls back to configured run/agent timeout when appropriate, and otherwise uses the 120s default. (src/agents/pi-embedded-runner/run/llm-idle-timeout.ts:22, 1531123d3547)
• Stream enforcement: The embedded runner wraps the model stream with the resolved idle timeout and aborts the active run with an LLM idle timeout error when no response chunks arrive. (src/agents/pi-embedded-runner/run/attempt.ts:1798, 1531123d3547)
• User-visible timeout handling: Regression coverage verifies idle-timeout errors point users at agents.defaults.llm.idleTimeoutSeconds and that one silent idle timeout is retried before surfacing an error. (src/agents/pi-embedded-runner/run.timeout-triggered-compaction.test.ts:225, 1531123d3547)
• Transport timeout propagation: Embedded attempts configure the HTTP runtime with the attempt timeout, and Undici dispatchers apply that value to body/header timeouts so slow local LLM calls are not limited by the default transport timeout. (src/agents/pi-embedded-runner/run/attempt-http-runtime.ts:7, 1531123d3547)
• Public docs: The agent-loop docs describe agents.defaults.llm.idleTimeoutSeconds, explicitly recommend setting it for slow local models, and note that 0 disables it. Public docs: docs/concepts/agent-loop.md. (docs/concepts/agent-loop.md:161, 1531123d3547)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 1531123d3547; fix evidence: release v2026.4.24, commit cbcfdf62c729.