Solved

Firefox TCP connections remain in FIN_WAIT_2 state (Windows XP SP2)

Posted on 2007-03-19
20
2,739 Views
Last Modified: 2013-12-19
Even after closing Firefox 2.0.0.2, I've noticed that many (5 to 50) TCP connections remain in the FIN_WAIT_2 state. They do not clear out after any amount of time. I came in Monday morning and all the web pages I looked at Saturday still have TCP connections in the FIN_WAIT_2 state. Is this normal behavior?

I'm checking this by using the netstat command at the command line. I can tell that Firefox is the culprit because the connections listed are the web sites I have visited.

I only have one Firefox extension/add-on running. That's the Free Download Manager add-on.

I'm using Windows XP Home Edition SP2. I have all the latest Windows updates installed.
0
Comment
Question by:HKComputer
20 Comments
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18747714
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18748015
I tried that and the results are a little inconclusive. It appears that the problem persists.

It takes two to five minutes to enumerate my TCP connections. I don't have time to sit and wait on it.

Should all of the Firefox related TCP connections disappear when I close Firefox?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18748197
Have you checked those sites with IE?

You can use tcpview as netstat replacement

http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx

I rather suspect some network that firefox trouble....

Tolomir
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18748492
I'm now using tcpview and I really like it. :)

It does seem to be a Firefox issue. IE releases all TCP connections when you close it.

The TCP connections that are puzzling me do show up twice in TCPView. They are listed once at the top as <non-existant>:PortNo and later again as Firefox.exe:PortNo. All "hung" connections are listed as FIN_WAIT2 (FIN_WAIT_2).
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18748530
What software firewall? Any?

Also, in TCPView, do you have Show Unconnected Endpoints checked or unchecked?
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18748572
I'm only using the windows Firewall. I have AVG AntiSpyware and AVG Antivirus running. I'm also using an obscure (but trust-worthy) content filter from CleanInternet ( www.cleaninter.net ). I don't think I have anything else running that could be causing this problem.

Yes, I'm showing unconnected endpoints.
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18748587
Are you behind a router or using a Proxy?

You said "Should all of the Firefox related TCP connections disappear when I close Firefox?"  Yes, they should.

0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18748597
Is your Content Filter intercepting Firefox to scan pages and then filter the pages back to you? Can you disable that service for a test?

And in TCPView, Uncheck that Show Unconnected Endpoints for you to see what Firefox is doing.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 18748636
I can't disable the Content Filter. It intercepts on the SDI layer (I think that's what it's called). It doesn't intercept on an application basis, only on a port basis, one layer below the Winsock layer.

I'm not using a proxy. I am behind a standard DSL modem (router).

When I uncheck "Show Unconnected Endpoints", all the offenders disappear since they are in the FIN_WAIT2 state.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 30

Expert Comment

by:mtz1of4
ID: 18748915
Because you are using that Content Filter, I'm thinking IT's actually intercepting your connection to see if you are truly done.

Do you have any contact with that company to inquire from them?  I don't believe it's an actual Firefox issue.

According to this page,
http://www.securitydocs.com/library/3318
FIN_WAIT 2 - Both hosts have agreed to close the connection.

Perhaps it's the Content Filter that is not releasing?
And since the Unconnected Endpoints do not show, the connection should be closed.  Why it's still listed may be because the Content Filter is cacheing it?
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18749002
And according to this page.
http://www.linuxmanpages.com/man8/netstat.8.php
FIN_WAIT2
    Connection is closed, and the socket is waiting for a shutdown from the remote end.

0
 
LVL 4

Author Comment

by:HKComputer
ID: 18749145
I tend to disagree. And here's why.

The logic of the content filter is basically this. Traffic is intercepted on port 80. The URL is parsed and passed to a remote server for evaluation. A Yes or No (or a modified URL) comes back from the remote content filter server. At this point the content filter closes its connections and "disappears".

The connections in question are clearly marked "Firefox.exe".

If the content filter was at fault, it should be doing the same thing for IE and other apps. The content filter doesn't see applications at all. It is below the Winsock and Application layers.


What might you mean by "the Content Filter is cacheing it?" How can a TCP connection be cached? Held open?
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18749415
"What might you mean by "the Content Filter is cacheing it?" How can a TCP connection be cached? Held open? "
I misspoke.  My brain isn't fully engaged sometimes.


0
 
LVL 4

Author Comment

by:HKComputer
ID: 18749435
:) No Problem.
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18749630
Let's try something here.
Open Firefox, in the Address bar type
about:config
and hit Enter. In the Filter at the top of the newly opened page, type
network.http.default-socket-type
That value should be empty (no entry), if not, please tell me what it is.

Next in that Filter, type
network.http.keep-alive.timeout
should be 300 (default)

See
http://img516.imageshack.us/my.php?image=mynetworksettingsaboutcbz4.jpg
 for my settings. If anything is different please let me know.  Perhaps one of us has changed something, but I haven't had  a Fin_Wait2 state showing in TCPView since running Firefox 2.0.0.2 although I do use ZAPro instead of Windows Firewall and I do not use your content filtering.
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 18749655
This was interesting to me.
http://www.goldfish.org/books/TCPIP%20Illustrated%20Vol%201/tcp_conn.htm
FIN WAIT 2 State

In the FIN_WAIT_2 state we have sent our FIN and the other end has acknowledged it. Unless we have done a half-close, we are waiting for the application on the other end to recognize that it has received an end-of-file notification and close its end of the connection, which sends us a FIN. Only when the process at the other end does this close will our end move from the FIN_WAIT_2 to the TIME_WAIT state.

This means our end of the connection can remain in this state forever. The other end is still in the CLOSE_WAIT state, and can remain there forever, until the application decides to issue its close.

Many Berkeley-derived implementations prevent this infinite wait in the FIN_WAIT_2 state as follows. If the application that does the active close does a complete close, not a half-close indicating that it expects to receive data, then a timer is set. If the connection is idle for 10 minutes plus 75 seconds, TCP moves the connection into the CLOSED state. A comment in the code acknowledges that this implementation feature violates the protocol specification.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 19055113
PAQ would be fine. We don't want to overlook the fact that this problem exists or did exist. -HK
0
 
LVL 30

Expert Comment

by:mtz1of4
ID: 19057259
Does it still exist for you?

A Fin Wait 2 state is there because something hasn't closed properly, most likely an extension autoupdate or even a firefox autoupdate, could even be the Live Bookmarks.

0
 
LVL 1

Accepted Solution

by:
Vee_Mod earned 0 total points
ID: 19080825
Closed, no points refunded.
Vee_Mod
Community Support Moderator
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now