locked
TCP Connections in Vista RRS feed

  • Question

  • The TCP/IP stack has been redesigned for Vista.

    I have heard that under Vista, there is a limitation of the number of simultaneous TCP connections, (which is different from XP SP2 which limits only the speed of queued TCP connnections).

    Does anyone know if Vista really has a max number of simultaneous TCP connections, and whether there will be a way for a program to workaround that (for instance, antivirus software connections shouldn't be queued) ?

    Thursday, January 12, 2006 7:00 PM

Answers

  • This was added in Service Pack 2 of windows XP:

     

    Limited number of simultaneous incomplete outbound TCP connection attempts

    Detailed description

    The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.

    Why is this change important? What threats does it help mitigate?

    This change helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in a failed connection, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.

    What works differently?

    This change may cause certain security tools, such as port scanners, to run more slowly.

    How do I resolve these issues?

    Stop the application that is responsible for the failing connection attempts.

    Thursday, January 12, 2006 11:52 PM

All replies

  • No, there is not an artifical cap on the number of connections.  There is a cap on the number of uncompleted TCP connections (ie. you have sent a syn, but no ack has been received).  Further details are availalbe on microsoft.com
    Thursday, January 12, 2006 11:50 PM
  • This was added in Service Pack 2 of windows XP:

     

    Limited number of simultaneous incomplete outbound TCP connection attempts

    Detailed description

    The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.

    Why is this change important? What threats does it help mitigate?

    This change helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in a failed connection, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.

    What works differently?

    This change may cause certain security tools, such as port scanners, to run more slowly.

    How do I resolve these issues?

    Stop the application that is responsible for the failing connection attempts.

    Thursday, January 12, 2006 11:52 PM
  • I have a Microsoft Vista comptuer and I also use Skype internet telephone for business. Using Skype is essential for me since I am located in Brazil, but need people within the U.S. to be able to reach me at a U.S. number, which Skype provides me with. I keep receiving event ID 4226 and my internet connection keeps going down over and over again, ever since beginning to use skype. skype has indicated to me that event ID 4226 is probably responsible for my problems, so for me, to stop running the application, as suggested, is not an option. I can't do my work, and I can't have people call me on a business phone number provided by skype, if I just stop running skype. I don't see why use of a legitimate service, used by millions of people around the world, such as Skype, and a service which is critical to my small business, should not be able to work with Microsoft Vista without bringing up event ID 4226, which effectively makes it impossible for me to use my vista computer and the internet without it going down over and over again throughout thet day.

     

     

     

    • Proposed as answer by Gepetto Paris Wednesday, June 11, 2008 10:10 AM
    Sunday, September 30, 2007 10:21 PM
  • Mike Flasko said:

    This was added in Service Pack 2 of windows XP:

     

    Limited number of simultaneous incomplete outbound TCP connection attempts

    Detailed description

    The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.

    Why is this change important? What threats does it help mitigate?

    This change helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in a failed connection, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.

    What works differently?

    This change may cause certain security tools, such as port scanners, to run more slowly.

    How do I resolve these issues?

    Stop the application that is responsible for the failing connection attempts.


    Network communications are not only focused on worms and viruses....
    Some Microsoft's people need to go back to the school, and take some networking lessons....

    1) Internet is a communication domain, with physical constraints : one of the most important is latency....
    2) HTTP is built over TCP, which is heavy impacted by high latency...
    3) Results are slow browsing....
    4) the browser's designers, like some other Microsofts People (those are clever!!!) introduce TCP connexions parallelizing, to carry the HTML objects simultaneously from server to browser....
    5) It is usual to get up more than 10 tcp connexions open at same time (in a 100 msec window) initiated by a browser ... in competition with other tcp connexion from other applications (microsoft claims to be multi task...)

    Conclusion: I think Microsoft guy's should talk together in the future, to avoid this problems, and the message "Stop the application that is responsible for the failing connection attempts" is definitivly not a good answer.
    Wednesday, June 11, 2008 8:05 AM
  • Maybe the "security" would be appropriate in a corporate environment, but normal users would prefer usability over (perceived) security.

    Having 10 half-open connections as the default limit is definitely too low, especially with the increasing popularity of P2P applications. At least make it tweakable by merely changing a registry key (it will be best if it can be changed in the Control Panel too).
    Sunday, August 31, 2008 12:23 PM
  • I guess you have to stay with windows xp SP1 and run good firewall and av.

    Im one of people who refuse to update to sp2 and to any new os.
    I really hate that tcpip limit. it break many apps like skype and many others legitimate apps. 

    vista have lame limit of 2. 

    you need to find tcpip.sys patcher for vista.
    you just need to look up on google.com


    Tuesday, February 3, 2009 8:52 AM
  • Hi. Just open regedit, and go to this: HCU\Software\microsoft\windows\currentversion\internetsettings.
    On your right hand side, there are two values:

    MaxConnectionsPer1_0Server -> set the REG_WORD value to the number you want; means # connections in one particular server

    MaxConnectionsPerServer ->  likewise. Means, # of connections.

    So you will have, # x # connections available. E.G.: 10 x 10 = up to a 100 simultaneaus connections.

    Hexa ou decimal number, your choice.

    Hope it helps.
    Friday, April 3, 2009 6:29 PM
  • I don't think that's related.  It applies to Internet Explorer and not to general TCP connections; and doesn't apply to "simultaneous incomplete outbound TCP connection attempts" but total connections to _one_ server.
    http://www.alanjmcf.me.uk/ Please follow-up in the newsgroup. If I help, mark the question answered
    Saturday, April 4, 2009 5:00 PM
  • Humm, I see. What would be the workaround then? A patch to tcpip.sys?
    Saturday, April 4, 2009 6:50 PM
  • As of Windows Vista SP2 a new registry key has been added to allow changing the limit of half-open TCP connections. IMHO it is a very welcome move from Microsoft.
    Monday, April 6, 2009 12:12 AM
  • And that registry would be... ?
    Tuesday, April 7, 2009 12:31 AM
  • You may want to look here: http://social.technet.microsoft.com/Forums/en-US/itprovistasp/thread/2afc725f-44fd-4ae1-9eb8-f0c3a0f552bc/

    It seems like the limit is completely removed.
    Tuesday, April 7, 2009 3:02 PM
  • However, SP2 is still a RC.
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=12ac9780-17b5-480c-aef7-5c0bde9060b0  (doesn't address the issue. General purpose)  and
    http://technet.microsoft.com/en-us/network/bb545475.aspx  (Next Generation TCP/IP Stacks)

    Ok. It will be release on May. The links were meant to guide you all to read, before dumping forums like this with "what if" questions. When it's released, it's there to use. After all, this is not a Developers forum".

    That's the point. Pointless to mention.
    Wednesday, April 8, 2009 6:36 PM
  • Just wait for it to be released in May. I don't see the relevance of the links you have provided.
    Wednesday, April 8, 2009 6:42 PM