This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Windows event 4227

0

Dear friend I need your help. I have 2 sap server that connect to server with external system and this server (2008 r2) connect to a lot of others server My problem is after 3 days we have the event 4227 TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapsed between successive connections from a given local endpoint to a given remote endpoint. We try SAP and microsoft support without any help We try all the registry parameter without any succeed I think I have one of the program installed of this server with the error makes the problem but I dont now how to find this I think maybe I have connection that remain open but I dont now how to find it? there is a way with wireshark to know what is the problem port? which connection are not closed? who make this event? when is check netstat I have only 500 open connection and less then 4 port in time_wait Please help Naor

asked 15 Dec '15, 06:27

Naor%20Shalom's gravatar image

Naor Shalom
1111
accept rate: 0%

edited 15 Dec '15, 10:23

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

The first issue is whether you can believe the error message description, and from what you wrote it seems that the actual reason may be slightly different from what it says.

Because the guard time (TIME_WAIT) in TCP is really relevant to cases when your machine connects to the same remote socket (ip address:port) so frequently that it exhausts all local ports from the permitted range within the post-session guard time, so the stack attempts to reuse a port which was in use less than two minutes ago. With less than 500 sessions open and 4 sessions in time_wait state, this is hardly the case (well, unless you have really permitted somewhere in registry just 4 tcp ports for outgoing sessions, but in this case I would expect the error to pop up much sooner than in three days).

Having said that, it is most likely an issue of Microsoft's tcp stack or the SAP application, so by observing its behaviour from outside (using Wireshark), you have little chance to find out what is wrong.

You can use Wireshark to capture the tcp communication towards the servers for several hours, ideally from reboot of the client machine until the error pops up, and then have a look at which ports at client side were used. If you find that the count of local ports used to establish new sessions gradually decreases (i.e. over time, some local ports stop being used for new sessions towards the same remote socket although the previous session using that port has been properly closed), it would mean that something is wrong in the tcp stack, preventing those "lost" ports from getting reused although the last session which was using them is neither in OPEN nor in TIME_WAIT state. Or the sessions may remain open "forever" from the protocol point of view (no FIN, no RST shown in Wireshark) but again in some weird state internally so not listed as OPEN or TIME_WAIT or any other named state by netstat.

If you cannot see anything like this in the capture, i.e. the ports used to open sessions towards those servers change regularly and then, all of a sudden, no new session opening attempts can be seen, it only means that the issue is more complex in terms that the leakage of resources is not limited to a single remote socket but the whole tcp stack is affected. To find out whether it is the case, it should be enough to try to open a tcp session to some other server and some other service, like attempting to open a telnet session or opening a web page after the error 4227 pops up in SAP.

Depending on the result, you may go back to Microsoft support with a more detailed description of the behaviour.

answered 15 Dec '15, 07:08

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Hi First i want to thanks for your help. "If you find that the count of local ports used to establish new sessions gradually decrease" - there us a way to count this? or I need to check fro netstat if port is reuse?

what about the buffer? My application give the error WSAENOBUFS: No buffer space available WSAEADDRINUSE: Address already in use Insufficient winsock resources available to complete socket connection initiation.; An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full 127.0.0.1:8510 Information 6804

Thanks Naor

(16 Dec '15, 01:15) Naor Shalom

Don't expect programmers' hints on a site dedicated to packet capturing and Wireshark as the particular tool for it.

As for counting the ports using Wireshark - a simple one would be to apply a display filter tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.dstport == pppp (where pppp is the port on the server side) to select only the "SYN packets" from the initiator of the tcp session (which is your PC), then go to the packet dissection pane, unfold the tcp layer, right-click the line reading Source Port: xxx and choose "Apply as Column" from the context menu. This will add the source port as a column to the packet list pane.

Then, you would click on that column's header, which causes the packets to be sorted according to the value in that column. The rest is to calculate (probably manually) how many lines exist for each value. If the count of the SYN packets is too high to do that manually, you would have to use tshark and some script reading its output and summing up the number of occurrences of each port value.

(16 Dec '15, 02:41) sindy