couple of network questions/issues

[ElAguila]

I have a couple of networking issues and I am not sure how to fix them. The first is a minor one. When I try to use a p2p filesharing program, I get the max tcp connections reached in the event log. How can I increase these connections? The second issue is a major one and I hope someone can help me with it. We have a small workgroup network setup at home. There are 5 machines with 4 running xp pro and mine running vista. We are connected to a dual wan router with 2 cable modems attached. I am able to connect to the internet with no problems. I am able to copy files from the shared folders on the other machines. When I try to copy files to to one of the shares on those machines, I lose all network connectivity and my system has to have a hard reboot. I have the User Sharing Wizard unchecked. The largest file I tried to copy was only 3MB. If one of the other machines tries to copy a file to my share, it causes their machine to lock up. Any idea what is causing this and how I can fix it? I am wondering whether or not to enable the onboard marvell gigalan nic and disable the nvidia nic to see if that helps any at all. Also none of the other machines are using the v6tcp/ip stack. On my vista machine both v4 and v6 are enabled.

Edited November 3, 2006 by ElAguila

[Spooky]

"When I try to use a p2p filesharing program, I get the max tcp connections reached in the event log. How can I increase these connections? "

You can't, the max number is fixed and can't be changed like in previous versions.

"When I try to copy files to to one of the shares on those machines, I lose all network connectivity and my system has to have a hard reboot."

Thats kind of odd assuming that sharing is set up correctly and you have the right connection set up (Public, Private, etc...). Even if it was some strange permission thing you would just get some kind of message that you couldn't do that. Are you sure the router is set up properly and your only using one of the cable modems at a time? A two-cable-modem set up may have something to do with loosing the connectivity (its confused as to which modem to use possibly which has the possibility to produce a no-connectivity situation for Vista). Also try disabling the IPV6 and just use the IPV4. There was a problem with the nvidia nic's earlier in the beta but i think it got resolved (I'm using the marvel-yukon on-board nic's myself and they work fine), if none of the other machines are using IPV6 this may also be causing the problem and make sure your router can handle the IPV6 also.

(BTW, why two cable modems?)

I have a couple of networking issues and I am not sure how to fix them. The first is a minor one. When I try to use a p2p filesharing program, I get the max tcp connections reached in the event log. How can I increase these connections? The second issue is a major one and I hope someone can help me with it. We have a small workgroup network setup at home. There are 5 machines with 4 running xp pro and mine running vista. We are connected to a dual wan router with 2 cable modems attached. I am able to connect to the internet with no problems. I am able to copy files from the shared folders on the other machines. When I try to copy files to to one of the shares on those machines, I lose all network connectivity and my system has to have a hard reboot. I have the User Sharing Wizard unchecked. The largest file I tried to copy was only 3MB. If one of the other machines tries to copy a file to my share, it causes their machine to lock up. Any idea what is causing this and how I can fix it? I am wondering whether or not to enable the onboard marvell gigalan nic and disable the nvidia nic to see if that helps any at all. Also none of the other machines are using the v6tcp/ip stack. On my vista machine both v4 and v6 are enabled.

[ElAguila]

I managed to get the problem fixed. I disabled the nforce nic and enabled the marvell gigalan nic and the problem is gone.

[dAbReAkA]

so there's no way to patch tcpip.sys so that it allow more than 10 half-open connections? that's bad..

[Spooky]

Here is some info concerning this: (at least I think this is what your talking about)

Event ID 4226: "TCP/IP has reached the security limit imposed on the number

of concurrent TCP connect attempts."

In order to understand what this means, you have to first understand some basic TCP/IP. I'm not going to go in depth with how TCP/IP works, all of its states and packet-types, but I'm going to go over the most basic part.

When a client initiates a TCP/IP connection to a server, the protocol has to negotiate the connection information before any data is transferred. TCP, Transmission Control Protocol, helps to ensure that information gets to its destination reliably over an IP network. It does this with the TCP Handshake.

The TCP Handshake Process

Step 1: Client sends a SYN packet to the server. This packet is more or less the absolute beginning of the TCP/IP communications process. This puts the client's port in a SYN_SENT state. This makes it await an ACK packet.

Step 2: Server, if it is there and LISTENING, will respond to the client with a SYN/ACK packet. This will put its port into the SYN_RECVD (RECEIVED) state. and make it await an ACK packet.

Step 3: Client receives SYN/ACK packet, puts its port into an ESTABLISHED state and responds with an ACK packet.

From here on out, data can be transferred between both of these devices.

With this process explained, we can now go into why and how Event 4226 works and is triggered.

Starting with Windows XP SP2, Microsoft limited the maximum amount of SYN_SENT states that you can have on your system to 10. There was a way to change this in XP but it can't be changed in Vista.

There are only 2 ways that a port will come out of the SYN_SENT state. Either the connection receives a response, or the connection times out.

With that all in mind, let's look at how it affects various internet protocols such as HTTP.

Client requests a web page via URL. DNS server responds with the IP address. Client sends a SYN packet to the HTTP server. HTTP server sends a SYN/ACK, Client sends an ACK, Server begins sending data. Client displays it on screen, connection closes.

In this scenario, the HTTP server was there and sent a response. Because of the way HTTP works, it only needs one active connection at a time. Thus, even if an HTTP server is not there, at maximum there will only be 1 connection in the SYN_SENT state (unless the client is set to retry over and

over again).

Most of the internet uses just one connection, with exception to P2P applications, where they use many connections.

On previous Windows operating systems, when a user runs a P2P application, the client receives a list of hosts that are sharing the file that the client wants. The client attempts to connect to all of these hosts. Let's

choose an arbitrary number that there are 50 "servers" that the client wants to connect to. The client sends a SYN packet to up to 50 servers, and simply waits for some to time out. If they time out, oh well. It still say, has 10 that responded and opened a connection.

This method of not limiting was a great way to increase the spread of worms on the internet. Your computer would get a worm, and start hitting entire ranges of IPs. Regardless of if even a fraction of these hosts responds, the worm just spreads itself to as many hosts as possible from your system.

Limiting the amount of "half open" (syn sent or syn recvd) connections that are happening at the same time DRASTICALLY reduces the spread of the worm, while having very minimal effects on "legitimate (I use this word loosely here, legitimate meaning any software the user actually wants on the computer) connections. Because the worm-infected PC now has to wait for connections to either timeout or receive a response, the worm's spread is drastically reduced. When it's trying to hit 20,000 hosts, it greatly increases the amount of time as it might have to wait for 15,000 connections to time out before it can continue to spread.

How does this affect P2P?

Let's get back to the P2P for a minute here. So your client sends SYN to 50 other machines "at once (short period of time)". machines 1, 23, 40, and 45 respond, while everything else doesn't. You now have a near immediate 4 connections.

With the TCP/IP half open limitation, it would send SYN to the first 10 hosts. Host 1 responds, so it sends now to host 11. The other 9 time out, it now sends to hosts 12-21. 11 times out, it now sends to 23, which responds ,and then begins on 24.

So what happens here is a slight delay in the connection process as it goes through the lists of hosts. This has no bearing on the transfer speed between Hosts 1, 23, 40, and 45. By all means, once that connection is

established that's pretty much it for the TCP/IP limiter. If all 50 responded, you could connect to all 50 hosts without any limitation at all.

So the real issue on P2P networks with regards to this "problem" are the people who don't understand how to configure their internet connections, or the people who configure them with the intent of not allowing incoming connections.

Q: Does this affect my regular internet habits (Chatting, web surfing, e-mail)?

A: Not at all.

Q: Will this slow down my P2P use?

A: Minimally. It will slow the rate in which you connect to other hosts, but it has no affect on any speed you receive from any host you connect to. This is simply a limit to how many hosts in the list of hosts that you make attempts to connect to.

Q: Does this mean I can only have 10 connections at a time?

A: No, you can have 10, 20, 30, 40 connections to any host you want provided they are configured to allow it. This simply limits the number of attempted connections. In the end, you will connect to as many hosts as are available for a connection, just connecting to them at a slower pace.

so there's no way to patch tcpip.sys so that it allow more than 10 half-open connections? that's bad..

Edited November 4, 2006 by Spooky

[dAbReAkA]

i know that.. it wont degrade download/upload speeds but will decrease connectivity speeds.. if u only want to initiate 50 connections that might not result in great slowdowns, but in some cases (bittorrent clients), if u have 90-100 torrents u'll feel the need to connect to as many seeds from as many torrents as possible.. if somehow the manage to patch it, i'll still apply the patch..