locked
Troubleshooting TCPIP:4227 EVENT_TCPIP_TCP_TIME_WAIT_COLLISION RRS feed

  • Question

  • We have a Windows 2008 SP2 32-bit HP-DL360 server that opens outbound HTTP connections to communicate to 10-15 HVAC PLC controllers.  The server is dedicated to this purpose.  Traffic is normally light, with the occasional heartbeat traffic, occasional download of PLC performance data.  However, once a week or so the server stops communicating with the PLC's and all ____ breaks out (usually between 1-4am).  The HVAC controls guy gets woke up by alarms, who calls the IT guy the next morning (me), who finds nothing amiss on the server besides an eventlog entry.

    In the Event Log We See the EVENT_TCPIP_TCP_TIME_WAIT_COLLISION error (shown below).  I have no idea what process is opening and closing outgoing connections at such a high rate that all the available ports are allocated.  Furthermore because the condition is not sustained, I cannot just perform a “netstat –b” to discover the culprit process.  What I need is a way to get a snapshot “netstat –b” when the problem occurs or log port usage by process so I can go back in history to find the culprit process.

    Any Suggestions??

    Thanks,

    -       Will

     

    Event Details

    Product:  Windows Operating System

    ID:  4227

    Source:  tcpip

    Version:  6.0

    Symbolic Name:  EVENT_TCPIP_TCP_TIME_WAIT_COLLISION

     

    Message:  TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections from a given local endpoint to a given remote endpoint.
    Will Baldwin Information Technology Officer Biosecurity Research Institute, Kansas State University
    Wednesday, October 6, 2010 4:08 PM

All replies

  • New Inputs:  I was able to write a script to trigger on th e 4227 event and discover the process responsible.  It isn't my code and the authors of the code blame everything but their code claiming hundreds of customers and none seeing this issue.  They tried blaming the NIC, OS, and me.  Now I am searching for solutions.  In the registry, I believe that I can reduce the 4 min (?) wait time from when a port is closed and it is released back to the pool for reuse.  Listening for other suggestions...  you are all so quiet.
    Will Baldwin Information Technology Officer Biosecurity Research Institute, Kansas State University
    Tuesday, January 18, 2011 5:29 PM
  • Hi!

    I have no solution for you.. But unfortunatly, I have the same problem. The server is running a print management system called "EquiTrac"
    Is there any chanse for me to "borrow" your script to verify my suspicions to which process is causing the trouble?

     - Chris

    Friday, January 28, 2011 7:05 AM
  • cls

    @echo OFF
    del %temp%\netstat.txt

    echo ######################################## >  %temp%\netstat.txt
    echo Tcpvcon.exe -a -c                                                                >> %temp%\netstat.txt
    echo ######################################## >> %temp%\netstat.txt
    echo %DATE%   %TIME%                                                           >> %temp%\netstat.txt
    echo.                                                                                       >> %temp%\netstat.txt
    "c:\Program Files\TCPView\Tcpvcon.exe" -a -c                                >> %temp%\netstat.txt

    :::::::::::::: Lets set some variables ::::::::::::::

    set eMail="Will Baldwin<***@***.***.***>"
    set subj=-s "TCPIP Stack/Processes Snapshot"
    set server=-server ***.***.****.***:25
    set debug=-debug -log %temp%\blat.log -timestamp

    ::::::::::::::::: Now we run Blat!  :::::::::::::::::

    c:\Progra~1\blat262\full\blat.exe %temp%\netstat.txt -to %eMail% %cc% -f %eMail% %subj% %server% %debug%
    set eMail=
    set cc=
    set subj=
    set server=
    set debug=


    Will Baldwin Information Technology Officer Biosecurity Research Institute, Kansas State University
    Friday, January 28, 2011 5:10 PM
  • Thank you very much :)
    Monday, January 31, 2011 8:07 AM
  • Better late than never - thank you Will!
    Wednesday, May 15, 2019 1:15 PM