Solved

Firefox TCP connections remain in FIN_WAIT_2 state (Windows XP SP2)

Posted on 2007-03-19
20
2,754 Views
Last Modified: 2013-12-19
Even after closing Firefox 2.0.0.2, I've noticed that many (5 to 50) TCP connections remain in the FIN_WAIT_2 state. They do not clear out after any amount of time. I came in Monday morning and all the web pages I looked at Saturday still have TCP connections in the FIN_WAIT_2 state. Is this normal behavior?

I'm checking this by using the netstat command at the command line. I can tell that Firefox is the culprit because the connections listed are the web sites I have visited.

I only have one Firefox extension/add-on running. That's the Free Download Manager add-on.

I'm using Windows XP Home Edition SP2. I have all the latest Windows updates installed.
0
Comment
Question by:HKComputer
20 Comments
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18747714
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18748015
I tried that and the results are a little inconclusive. It appears that the problem persists.

It takes two to five minutes to enumerate my TCP connections. I don't have time to sit and wait on it.

Should all of the Firefox related TCP connections disappear when I close Firefox?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18748197
Have you checked those sites with IE?

You can use tcpview as netstat replacement

http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx

I rather suspect some network that firefox trouble....

Tolomir
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18748492
I'm now using tcpview and I really like it. :)

It does seem to be a Firefox issue. IE releases all TCP connections when you close it.

The TCP connections that are puzzling me do show up twice in TCPView. They are listed once at the top as <non-existant>:PortNo and later again as Firefox.exe:PortNo. All "hung" connections are listed as FIN_WAIT2 (FIN_WAIT_2).
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18748530
What software firewall? Any?

Also, in TCPView, do you have Show Unconnected Endpoints checked or unchecked?
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18748572
I'm only using the windows Firewall. I have AVG AntiSpyware and AVG Antivirus running. I'm also using an obscure (but trust-worthy) content filter from CleanInternet ( www.cleaninter.net ). I don't think I have anything else running that could be causing this problem.

Yes, I'm showing unconnected endpoints.
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18748587
Are you behind a router or using a Proxy?

You said "Should all of the Firefox related TCP connections disappear when I close Firefox?"  Yes, they should.

0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18748597
Is your Content Filter intercepting Firefox to scan pages and then filter the pages back to you? Can you disable that service for a test?

And in TCPView, Uncheck that Show Unconnected Endpoints for you to see what Firefox is doing.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18748636
I can't disable the Content Filter. It intercepts on the SDI layer (I think that's what it's called). It doesn't intercept on an application basis, only on a port basis, one layer below the Winsock layer.

I'm not using a proxy. I am behind a standard DSL modem (router).

When I uncheck "Show Unconnected Endpoints", all the offenders disappear since they are in the FIN_WAIT2 state.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 30

Expert Comment

by:mtz1of4
ID: 18748915
Because you are using that Content Filter, I'm thinking IT's actually intercepting your connection to see if you are truly done.

Do you have any contact with that company to inquire from them?  I don't believe it's an actual Firefox issue.

According to this page,
http://www.securitydocs.com/library/3318
FIN_WAIT 2 - Both hosts have agreed to close the connection.

Perhaps it's the Content Filter that is not releasing?
And since the Unconnected Endpoints do not show, the connection should be closed.  Why it's still listed may be because the Content Filter is cacheing it?
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18749002
And according to this page.
http://www.linuxmanpages.com/man8/netstat.8.php
FIN_WAIT2
    Connection is closed, and the socket is waiting for a shutdown from the remote end.

0
 
LVL 4

Author Comment

by:HKComputer
ID: 18749145
I tend to disagree. And here's why.

The logic of the content filter is basically this. Traffic is intercepted on port 80. The URL is parsed and passed to a remote server for evaluation. A Yes or No (or a modified URL) comes back from the remote content filter server. At this point the content filter closes its connections and "disappears".

The connections in question are clearly marked "Firefox.exe".

If the content filter was at fault, it should be doing the same thing for IE and other apps. The content filter doesn't see applications at all. It is below the Winsock and Application layers.


What might you mean by "the Content Filter is cacheing it?" How can a TCP connection be cached? Held open?
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18749415
"What might you mean by "the Content Filter is cacheing it?" How can a TCP connection be cached? Held open? "
I misspoke.  My brain isn't fully engaged sometimes.


0
 
LVL 4

Author Comment

by:HKComputer
ID: 18749435
:) No Problem.
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18749630
Let's try something here.
Open Firefox, in the Address bar type
about:config
and hit Enter. In the Filter at the top of the newly opened page, type
network.http.default-socket-type
That value should be empty (no entry), if not, please tell me what it is.

Next in that Filter, type
network.http.keep-alive.timeout
should be 300 (default)

See
http://img516.imageshack.us/my.php?image=mynetworksettingsaboutcbz4.jpg
 for my settings. If anything is different please let me know.  Perhaps one of us has changed something, but I haven't had  a Fin_Wait2 state showing in TCPView since running Firefox 2.0.0.2 although I do use ZAPro instead of Windows Firewall and I do not use your content filtering.
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18749655
This was interesting to me.
http://www.goldfish.org/books/TCPIP%20Illustrated%20Vol%201/tcp_conn.htm
FIN WAIT 2 State

In the FIN_WAIT_2 state we have sent our FIN and the other end has acknowledged it. Unless we have done a half-close, we are waiting for the application on the other end to recognize that it has received an end-of-file notification and close its end of the connection, which sends us a FIN. Only when the process at the other end does this close will our end move from the FIN_WAIT_2 to the TIME_WAIT state.

This means our end of the connection can remain in this state forever. The other end is still in the CLOSE_WAIT state, and can remain there forever, until the application decides to issue its close.

Many Berkeley-derived implementations prevent this infinite wait in the FIN_WAIT_2 state as follows. If the application that does the active close does a complete close, not a half-close indicating that it expects to receive data, then a timer is set. If the connection is idle for 10 minutes plus 75 seconds, TCP moves the connection into the CLOSED state. A comment in the code acknowledges that this implementation feature violates the protocol specification.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 19055113
PAQ would be fine. We don't want to overlook the fact that this problem exists or did exist. -HK
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 19057259
Does it still exist for you?

A Fin Wait 2 state is there because something hasn't closed properly, most likely an extension autoupdate or even a firefox autoupdate, could even be the Live Bookmarks.

0
 
LVL 1

Accepted Solution

by:
Vee_Mod earned 0 total points
ID: 19080825
Closed, no points refunded.
Vee_Mod
Community Support Moderator
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now