TCP Connection States - A Clue to Network Health

Noah Davids

Most network administrators know that the netstat -n command will display a list of TCP connections and their states. Usually, the connection state is ESTABLISHED. Occasionally, the state is FIN_WAIT_2 or CLOSE_WAIT. Very rarely it will be SYN_SENT, SYN_RCVD, or FIN_WAIT_1. Although all these states are normal, connections are typically in these states for only a brief time. Having connections in these states for longer than a few seconds, or having more than a few connections in these states at any one time may indicate a network problem. But in any case, the cause of this condition should be determined. This article explores how to diagnose network problems based on the state of the TCP connection.

The TCP States

The TCP states are defined in RFC-793. Figure 1 shows the TCP state machine, which defines what state to move to next and what type of packet to send back when a given type of packet is received. In general, TCP connections involve synchronizing the connection (SYN), transmitting the data, and then finishing, or closing the connection (FIN). As requests are made between systems, acknowledgements (ACK) are transmitted back and forth to assure that both sides of the connection agree on the state of the connection. For a more detailed explanation of these states, see the companion Web article on the Sys Admin Web site: samag.com.

Diagnoses

Table 1 lists most of the likely (and not so likely) causes of state problems. In all cases, host 1 is the host with the problem, and host 2 is the "other" host.