What you need to do if you see too many TIME_WAIT sockets

If TCP connections are in use the port limit can be reached. In this case, no new connection can be created. This can happen on the Agent or Server side.

How to detect

Kernel message:

kernel: TCP: request_sock_TCP: Possible SYN flooding on port 8009. Sending cookies.  Check SNMP counters.

Check the TIME_WAIT sockets count:

watch -n 1 "netstat -nt | grep TIME_WAIT | wc -l"

If it is close to the available port range then your system is affected by this issue :

cat /proc/sys/net/ipv4/ip_local_port_range


You should enable socket reuse.

By default Linux selects a port from an ephemeral port range, which by default is within the range of 32768 to 61000.

A TCP local socket address that has been bound is unavailable for some time after closing, unless the SO_REUSEADDR flag has been set. Please use caution when using this flag as it makes TCP less reliable.

To avoid waiting on closed sockets and enable their reuse, please set tcp_tw_reuse sysctl to enable reuse of TIME_WAIT sockets by appending the following line to file /etc/sysctl.conf:

net.ipv4.tcp_tw_reuse = 1

Afterwards, sockets in state TIME_WAIT will be reused when necessary.

Technical Insights

Connect function error value in these cases is EADDRNOTAVAIL.

This article pertains to MetaDefender Central Management
This article was last updated on 2018-03-28