Microsoft KB Archive/296692

From BetaArchive Wiki
Knowledge Base


How to Troubleshoot TCP Ports That Stay in the SYN_RECEIVED State for Long Periods of Time

Article ID: 296692

Article Last Modified on 11/1/2006


APPLIES TO

  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Server 4.0 Enterprise Edition


This article was previously published under Q296692

SUMMARY

If you are using Winsock TCP ports, you may experience performance problems, such as programs that stop responding (hang). You may also notice that some TCP ports stay in the SYN_RECEIVED state for long periods of time. This article describes how to proceed if you experience these problems.

MORE INFORMATION

If you suspect that the behaviors that you are encountering are caused by network problems, type the following command at a command prompt to view connections that are in the SYN_RECEIVED state:

netstat -n -p tcp


Output that is similar to the following text appears after you run this command:

TCP 159.173.161.130:3600 159.173.150.227:1041 SYN_RECEIVED
TCP 159.173.161.130:3600 159.173.162.59:1040 SYN_RECEIVED
TCP 159.173.161.130:3600 159.173.162.60:1035 SYN_RECEIVED
TCP 159.173.161.130:3600 159.173.162.74:1039 SYN_RECEIVED
TCP 159.173.161.130:3600 159.173.162.96:1042 SYN_RECEIVED


If you run the netstat command one hour later, the TCP ports are still in the SYN_RECEIVED state, which can occur if the registry keys that control the functionality of the TCP/IP protocol are in a non-functioning state. To resolve this problem, set the following registry keys back to their default values:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Value Name: TcpMaxDataRetransmissions
Data Type: REG_DWORD - Number
Valid Range: 0 - 0xFFFFFFFF
Default: 5

Value Name: InitialRtt
Data Type: REG_DWORD
Valid Range: 0-65535 (decimal)
Default: 0xBB8 (3000 decimal)


If you find the SynAttackProtect key, and your computer is not under a SYN attack, delete this key. For additional information about how to know whether your system is under a TCP SYN attack, click the article number below to view the article in the Microsoft Knowledge Base:

142641 Internet Server Unavailable Because of Malicious SYN Attacks


In addition, verify that your network is operating properly without losing a large number of frames. To do this, create a network trace. An indication of packet loss is a high number of TCP retransmission frames. Many advanced network sniffer tools, such as Microsoft Network Monitor 2.0, are able to locate TCP retransmissions.

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

170359 How to Modify the TCP/IP Maximum Retransmission Timeout


Keywords: kbfaq kbhowto kbnetwork kbnofix KB296692



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/296692&oldid=162318
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki