KNOWLEDGEBASE
Log In    |    4D Home    |    4D Forum
Tech Tip: Avoiding 10054 Disconnection issues on Windows Server 2003
PRODUCT: 4D | VERSION: 11.6 | PLATFORM: Win
Published On: July 8,2010

Microsoft has implemented a security feature that reduces the size of the queue for concurrent TCP/IP connections to the server. This is exposed through the registry via the SynAttackProtect key. This feature helps prevent denial of service attacks; however, under heavy load conditions, the TCP/IP protocol may incorrectly identify valid TCP/IP connections as a denial of service attack.

This setting has actually existed for quite some time (it can be found in Windows XP as well as Windows 2000 and NT4.0), however it was previously disabled by default up until and including Windows Server 2003. Starting with Windows Server 2003 SP1 the default value became enabled.

This can cause the disconnection issues described here and here, such as:

  • The connection has been reset by the remote host.
  • TCP_PROV: An existing connection was forcibly closed by the remote host.
  • "ProviderNum: 7, Error: 10054, ErrorMessage: "TCP Provider: An existing connection was forcibly closed by the remote host ..."
  • Unhandled Exception: A transport-level error has occurred when sending the request to the server. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.)

This error is not related to only 4D. Micorosft has published documents regarding this specific issue with connecting to both SQL Server and BizTalk Server using TCP/IP. Also documented here: http://msdn.microsoft.com/en-us/library/ms187005.aspx

According to Microsoft, there are two ways of dealing with this issue:
  1. Disable Windows Server 2003 SP 1 and SP2 Denial of Service checking

    Note :: It is important to note that disabling this feature disables protection that Microsoft has provided against Denial of Service attacks. Microsoft suggests "Only disable this feature in an intranet scenario when you are sure you will not suffer from actual denial of service attacks." In any situation you choose to disable this setting take into account the protection you are disabling. One solution may be to run a database via WAN and use a VPN to limit connections.

    All of these values are located under the following registry key:
    Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    Value name: SynAttackProtect
    Value Type: REG_DWORD
    Valid Range: 0,1
    Default: 0


    You should create and set SynAttackProtect to 0 to disable protection against SYN attacks.

  2. Modify the registry settings that govern the level of Denial of Service attack protection on Windows Server 2003

    Note :: This option requires more trial and error but will allow you to sustain some level of Denial of Service protection.

    In certain scenarios you may want to maintain Denial of Service protection but reduce how aggressively the Denial of Service functionality is applied. It is possible to tune the default behavior of the Denial of Service protection feature by following these steps:

    1. Ensure the SynAttackProtect registry entry is set to a REG_DWORD value of 1 as described at SynAttackProtect (http://go.microsoft.com/fwlink/?LinkId=111477).


    2. Configure the TcpMaxHalfOpen registry entry as described at TcpMaxHalfOpen (http://go.microsoft.com/fwlink/?LinkId=111478).


    3. Configure the TcpMaxHalfOpenRetried registry entry as described at TcpMaxHalfOpenRetried (http://go.microsoft.com/fwlink/?LinkId=111479).



Affected Operating Systems:

Microsoft has acknowledged that a problem exists for Windows Server 2003 SP1 and SP2 here; where under heavy load conditions, the TCP/IP protocol may incorrectly identify valid TCP/IP connections as a denial of service attack.

For Windows XP (all versions) and Windows Server 2003 with no service packs installed, SynAttackProtect is set to 0 by default.

For Windows Server 2003 SP1 (or greater), SynAttackProtect is set to 1 by default.

Since the setting does exist in XP (disabled by default) it is theoretically possible that this may cause an issue on that operating system if the feature is enabled.

The SynAttackProtect, TcpMaxHalfOpen, and TcpMaxHalfOpenRetried registry entries are no longer used with Windows Vista and Windows Server 2008. The TCP/IP protocol suite implementation in Windows Vista and Windows Server 2008 was redesigned to provide improved performance and does not require manual modification of these registry entries.



See the following links for more information:

http://support.microsoft.com/kb/142641/en-us
http://support.microsoft.com/kb/315669/en-us
http://technet.microsoft.com/en-us/library/cc759700(WS.10).aspx