Microsoft KB Archive/296692

= How to Troubleshoot TCP Ports That Stay in the SYN_RECEIVED State for Long Periods of Time =

Article ID: 296692

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0 Enterprise Edition

-



This article was previously published under Q296692



SUMMARY
If you are using Winsock TCP ports, you may experience performance problems, such as programs that stop responding (hang). You may also notice that some TCP ports stay in the SYN_RECEIVED state for long periods of time. This article describes how to proceed if you experience these problems.



MORE INFORMATION
If you suspect that the behaviors that you are encountering are caused by network problems, type the following command at a command prompt to view connections that are in the SYN_RECEIVED state:

netstat -n -p tcp

Output that is similar to the following text appears after you run this command:

TCP 159.173.161.130:3600 159.173.150.227:1041 SYN_RECEIVED

TCP 159.173.161.130:3600 159.173.162.59:1040 SYN_RECEIVED

TCP 159.173.161.130:3600 159.173.162.60:1035 SYN_RECEIVED

TCP 159.173.161.130:3600 159.173.162.74:1039 SYN_RECEIVED

TCP 159.173.161.130:3600 159.173.162.96:1042 SYN_RECEIVED

If you run the netstat command one hour later, the TCP ports are still in the SYN_RECEIVED state, which can occur if the registry keys that control the functionality of the TCP/IP protocol are in a non-functioning state. To resolve this problem, set the following registry keys back to their default values:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Value Name: TcpMaxDataRetransmissions

Data Type: REG_DWORD - Number

Valid Range: 0 - 0xFFFFFFFF

Default: 5

Value Name: InitialRtt

Data Type: REG_DWORD

Valid Range: 0-65535 (decimal)

Default: 0xBB8 (3000 decimal)

If you find the SynAttackProtect key, and your computer is not under a SYN attack, delete this key. For additional information about how to know whether your system is under a TCP SYN attack, click the article number below to view the article in the Microsoft Knowledge Base:

142641 Internet Server Unavailable Because of Malicious SYN Attacks

In addition, verify that your network is operating properly without losing a large number of frames. To do this, create a network trace. An indication of packet loss is a high number of TCP retransmission frames. Many advanced network sniffer tools, such as Microsoft Network Monitor 2.0, are able to locate TCP retransmissions.

