Detecting Ephemeral Port Exhaustion in Windows 7 / 8 / 2012

Ephemeral ports are ports that start at a higher range then regular ports. For example when compared to a web server that listens on port 80, ephemeral ports start from 49152 for Windows 2008 R2.  If there are scripts or applications that are making a lot of connections on the higher ports they can become exhausted.

A lot of these higher ports are dynamic ports meaning that they open and close on demand by the application.  You may see a high number of ports in TIME_WAIT when you run the netstat command, this is because Windows keeps a socket in TIME_WAIT state for a total of 4 minutes before recycling it back for use. In the default configuration there is a total of 16384 ephemeral ports. It may seem like a lot but if an application is sending one command through a port and then sending another command through another port, Windows waits 4 minutes before it closes the first port and this is where the exhaustion can occur.

Default ephemeral port ranges:
ephemeral port time wait chart windows linux

 

PowerShell – Identifying if you have exhausted ephemeral ports

You can run the below PowerShell script and it will show you details about your Ephemeral ports to see if they are all in use.

Log-EphemeralPortsStats.ps1  <– (Right-click, “Save Link As” to Download)

1. Open up Windows PowerShell
Start Powershell

 

 

 

 

 

 

 

 

 

 

 

2.  “Set-Execution-policy Unrestricted” and execute the “Log-EphemeralPortsStats.ps1” script
(Click Image to enlarge)
Power Shell Execute Script
3.  The Script will also generate a log file called “EphemeralPortStats.log”
Power Shell Ephemeral Ports Identify

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Increasing Ephemeral Ports:

Windows 7 / 8 / 2012
=================
Command to View ephemeral ports:
netsh int ipv4 show dynamicportrange tcp
Default Ephemeral Port Range

 

 

Command to increase Ephemeral ports
netsh int ipv4 set dynamicport tcp start=1025 num=64510
Increase Ephemeral ports netsh command

 

Ephemeral ports after the increase (Reboot is required)
After increasing ephemeral port range

 

 

 

Reduce TIME_WAIT
Windows keeps a port in TIME_WAIT state for 240 seconds (4 min) we can adjust this to 30 seconds so that it becomes available quicker for other applications to use.

1. Start > Run > Regedit
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
3. Create a new DWORD (32 bit) named: TcpTimedWaitDelay
4. Set the value to Decimal: 30
5. Reboot

TcpTimedWaitDelay

 

Redhat LInux 5
===========
Reduce the TIME_WAIT by setting the tcp_fin_timeout kernel value on /proc/sys/net/ipv4/tcp_fin_timeout, using the command echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout to set it to 30 seconds.

Increase the range of ephemeral ports by setting ip_local_port_range kernel value on /proc/sys/net/ipv4/ip_local_port_range, using the command echo “32768 65535” > /proc/sys/net/ipv4/ip_local_port_range, this will set the port range from 32768 to 65535.

The kernel value parameters aren’t saved with these commands, and are reset to the default values on system reboot, thus make sure to place the commands on a system startup script such as /etc/rc.local.

 

Helpful netstat commands
C:\>netstat -an | find “:80” |find /c “ESTABLISHED”
268
C:\>netstat -an | find “:80” |find /c “TIME_WAIT”
3746
C:\>netstat -an | find “:8085 ” | find /c “4924”
2
C:\>netstat -an | find “:8085 ” | find “4924”
TCP 127.0.0.1:4924 127.0.0.1:8085 ESTABLISHED
TCP 127.0.0.1:8085 127.0.0.1:4924 ESTABLISHED
netstat -ano | find /N “8085”
netstat -a -n | find /c “:”
netstat -anbo

This entry was posted in Linux, Networking, Windows and tagged , , , , , , , . Bookmark the permalink.

11 Responses to Detecting Ephemeral Port Exhaustion in Windows 7 / 8 / 2012

  1. Jeroen says:

    Thank you very much. Your script helped me a lot.

  2. Bosco says:

    Thank you for the script. It’s very helpful.
    I have one question though. Does this script show the ephemeral port stats for only TCP?
    If so how can I modify it to display the port stats for UDP?
    Thanks again!

  3. Jonatan says:

    Hey!

    Thanks a lot of this information. I’ve been experiencing some issues with this on a few servers, so I actually modified your script to make it work with as a SolarWinds monitor. I’m hoping that will allow me to setup an alerting system so i’ll know if a server is reaching that 95%+ usage.

    If you would be interested in the script for SolarWinds let me know and I’ll be happy to share it.

    • Greg says:

      We have been having an issue with servers experiencing port exhaustion like clockework every 2 weeks, I would love to see a script that monitors the ports for Solar winds!!
      can you please share that?

  4. Magnificent goods from you, man. I have be aware your stuff prior to and you are simply too excellent.
    I actually like what you’ve got here, really like what you are stating and the way in which during which you are
    saying it. You’re making it entertaining and you still care
    for to stay it smart. I cant wait to read far more from you.
    That is actually a wonderful website.

  5. Thanks , I have recently been looking for information approximately this subject for a while and yours is the best I’ve found out till now.
    However, what concerning the conclusion? Are you certain about the
    supply?

  6. Hello there, You’ve done an excellent job. I’ll certainly digg it and personally recommend to
    my friends. I am sure they will be benefited from this
    site.

  7. you are truly a excellent webmaster. The web site loading
    velocity is amazing. It sort of feels that you are doing any distinctive trick.
    Moreover, The contents are masterpiece. you have done a
    great job on this subject!

  8. all the time i used to read smaller content that as well clear their motive,
    and that is also happening with this paragraph which I am reading
    at this time.

  9. Do you mind if I quote a couple of your articles as long as I
    provide credit and sources back to your site?
    My website is in the very same area of interest as yours and my visitors
    would genuinely benefit from some of the information you provide here.

    Please let me know if this alright with you. Thank you!

  10. Very shortly this site will be famous among all blogging and site-building visitors, due to it’s pleasant posts

Leave a Reply

Your email address will not be published. Required fields are marked *