Windows TCPIP 连接数限制

From：https://supportsolarwindscom/SuccessCenter/s/article/NETSTAT-A-command-displays-too-many-TCP-IP-connectionslanguage=en_US

NETSTAT -A command displays too many TCP/IP connections

Running the NETSTAT -A command from the command prompt shows a large number of TCP/IP connections established by the ipMonitor software If ipMonitor is unable to open new connections, monitor failures can occur

Overview

Running the NETSTAT -A command from the command prompt shows a large number of TCP/IP connections established by the ipMonitor software This increased network traffic can affect ipMonitor's ability to create new connections, especially since many existing TCP/IP connections remain in a reserved TIME_WAIT state Ultimately, if ipMonitor is unable to open new connections, monitor failures can occur

Environment

ipMonitor 108;ipMonitor 10x

Cause

The majority of TCP/IP connections displayed are ephemeral ports that have already been closed, but that remain reserved before they can be reused This reserved state is denoted by the netstat TIME_WAIT label

Microsoft limits the number of connections to 3975 by default, meaning that there can only be 3975 TCP/IP connections open at any given time In addition, the TIME_WAIT state is configured by default to be 240 seconds This means that Windows can only support an average of 33 TCP/IP connections per second ipMonitor must then wait 240 seconds before being able to reuse those connections If you have a large number of configured Monitors set to retest resources at short intervals, 3975 connections every four minutes may not be enough

Resolution

Warning: Windows registry changes can result in severe system damage if performed incorrectly Before you modify the registry, make a backup copy and ensure you understand how to restore the registry if a problem occurs 

Attempt the troubleshooting steps in the following order:

Increase the refresh time between monitor tests 

If possible, SolarWinds recommends configuring your monitors to use the default value of 300 seconds between monitor tests This optimal setting ensures there are enough TCP connections available when needed

Increase the maximum simultaneous connections 

Start the Registry Editor(Regedt32exe)

Access the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Add a DWORD value to this registry key:

Name: MaxUserPort

Type: DWORD

Value: 65534 (decimal)

Exit the Registry Editor

Note: This section can also be used as reference during large Server & Application Monitor (SAM) installations

Reduce the duration of the Reserved State 

Reducing the value of the TIME_WAIT state results in TCP connections being reused faster, therefore allowing for an increased number of connections during the same length of time Note that if the value is too low, the TCP connection may close before monitor testing is complete

Start the Registry Editor (Regedt32exe)

Access the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Add a DWORD value to this registry key:

Name: TcpTimedWaitDelay

Type: REG_DWORD - Time in seconds

Value: 120 (decimal)

Exit the Registry Editor

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any

这是因为传输控制协议/Internet协议(TCP/IP)堆栈是Microsoft XP/ 2003的核心组件，不能删除。在这种情况下，如果需要重新安装TCP/IP以使TCP/IP堆栈恢复为原始状态。可以使用NetShell实用程序重 置TCP/IP堆栈，使其恢复到初次安装操作系统时的状态。方法是：在命令提示符后键入以下命令，然后按ENTER键：netsh int ip reset c:\resetlogtxt，其中，Resetlogtxt记录命令结果的日志文件，一定要指 定，这里指定了Resetlogtxt日志文件及完整路径。运行此命令的结果与删除并重新安装TCP/IP协议的效果相同。

如果是有线，下载设为300KB/s,上传设为30KB/s

如果是1M ADSL，下载设为125KB/s，上传设为15KB/s

如果是2M ADSL，下载设为250KB/s，上传设为25KB/s

如果上传速度过大会影响下载速度的

首先要明白TCP四元组的样子，四元组分别是<源IP，目的IP，源端口，目的端口>。

（前面2个元素在IP头部，后面2个元素在TCP头部）

IPv4的地址是4个字节，所以是32位。

端口是2个字节，所以是16位。

因此当服务器的IP地址和监听端口都确定的时候，并发连接数的天花板是2^(32 + 16)。

TCP协议想要实现百万级别的高并发，必须使用基于事件驱动的全异步开发模式。

单机如何实现管理百万主机的心跳服务？

https://wwwjianshucom/p/8d93d22416cb

https://timegeekbangorg/column/article/240656

1、可使用以下命令，查看当前服务器启动的httpd进程数，亦即当前服务器提供httpd服务的并发请求数。

2、获取服务器实时的httpd服务并发请求数，可以与配置文件/etc/httpd/conf/httpdconf中的MaxRequestWorkers 数量进行对比，看是否需要对最大服务并发数进行更改。

3、运行以下命令，则可以对当前服务器为提供web服务，而开放80端口，与外部请求建立连接的连接数进行查看和统计。

4、当前服务器的httpd服务已建立连接数，即httpd服务的TCP连接状态为ESTABLISH的连接，所以可以用以下命令查看、统计。

5、通过查看当前httpd服务的TCP连接数，可对请求访问的IP进行分类汇总，查看是否存在同一IP地址恶意刷连接，过多占用系统资源情况存在，进而做出必要的处理。查看统计命令如下。

6、如果某个IP地址的连接请求过多，我们则可以通过修改配置文件/etc/httpd/conf/httpdconf，加入以下语句来阻止它的访问。

listen的backlog参数指定的是已经三次握手完成，达到了established状态但是等待accept的队列的容量。当这个容量超过上限的时候服务器端便不处理客户端的三次握手了。这个队列的容量当然不是楼主所说的并发连接数。

但是lisen的再后一道程序便是accept了。如果你想要的是在tcp并发连接数量超过上限的时候服务器不再处理了三次握手那么只有两种办法：

1关闭listen的socket

2自己修改tcp协议栈的实现，当然这个就比较麻烦了。

用iptables防火墙来限制tcp连接，

如下，限制用户的tcp连接数为50

iptables -I INPUT-p tcp -m connlimit --connlimit-above 50 -j REJECT