Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > ipMonitor > NETSTAT -A command displays too many TCP/IP connections

NETSTAT -A command displays too many TCP/IP connections

Overview

Running the NETSTAT -A command from the command prompt shows a large number of TCP/IP connections established by the ipMonitor software. This increased network traffic can affect ipMonitor's ability to create new connections, especially since many existing TCP/IP connections remain in a reserved TIME_WAIT state. Ultimately, if ipMonitor is unable to open new connections, monitor failures can occur.

Environment

ipMonitor 9

Cause

The majority of TCP/IP connections displayed are ephemeral ports that have already been closed, but that remain reserved before they can be reused. This reserved state is denoted by the netstat TIME_WAIT label.

Microsoft limits the number of connections to 3975 by default, meaning that there can only be 3975 TCP/IP connections open at any given time. In addition, the TIME_WAIT state is configured by default to be 240 seconds. This means that Windows can only support an average of 33 TCP/IP connections per second. ipMonitor must then wait 240 seconds before being able to reuse those connections. If you have a large number of configured Monitors set to retest resources at short intervals, 3975 connections every four minutes may not be enough.

Resolution

Warning: Windows registry changes can result in severe system damage if performed incorrectly. Before you modify the registry, make a backup copy and ensure you understand how to restore the registry if a problem occurs. 

 

Attempt the troubleshooting steps in the following order:

Increase the refresh time between monitor tests

If possible, SolarWinds recommends configuring your monitors to use the default value of 300 seconds between monitor tests. This optimal setting ensures there are enough TCP connections available when needed.

Increase the maximum simultaneous connections

  1. Start the Registry Editor (Regedt32.exe).
  2. Access the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. Add a DWORD value to this registry key:
    Name: MaxUserPort
    Type: DWORD
    Value: 65534 (decimal)
  4. Exit the Registry Editor.

Note: This section can also be used as reference during large Server & Application Monitor (SAM) installations.

Reduce the duration of the Reserved State

Reducing the value of the TIME_WAIT state results in TCP connections being reused faster, therefore allowing for an increased number of connections during the same length of time. Note that if the value is too low, the TCP connection may close before monitor testing is complete.

  1. Start the Registry Editor (Regedt32.exe).
  2. Access the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. Add a DWORD value to this registry key:
    Name: TCPTimedWaitDelay
    Type: REG_DWORD - Time in seconds
    Value: 120 (decimal)
  4. Exit the Registry Editor.
Last modified
00:40, 21 Mar 2017

Tags

Classifications

Public