Limited Number of Half Open TCP Connections (Event ID 4226)

📖 Home  Back  
With the introduction of Windows XP SP2, Microsoft's Desktop class operating systems restrict the number of half opened outgoing TCP sockets. This is explained in the Microsoft TechNet article, http://technet.microsoft.com/en-us/library/bb457156.aspx#EHAA

The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system's event log.


This change helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in a failed connection, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program.


This may affect ClearSCADA servers that are installed on Desktop class operating systems if ClearSCADA tries to open many new TCP sockets at once. This may for example occur when trying to establish communications to many TCP based outstations at once. This limitation has not been imposed on Server class operating systems. It is therefore recommended to run ClearSCADA on Server class operating systems.

Go: Home Back