Solved

TCP/IP Error with Event ID 4227

Posted on 2013-11-12
19
8,243 Views
Last Modified: 2013-12-13
I did a search and found a recent posting on EE here, but there was little information other than running a malware scan: http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28273755.html

I also have responded to this same issue over on the Windows 8 forums: http://www.eightforums.com/network-sharing/28502-windows-8-stops-allowing-new-connections-3.html#post306663

Here is the issue: About every 4-6 days I start getting the 'error 4227' in my Windows Event log: 'Warning, TCP/IP, Event 4227: TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint'.

I can always tell when the issue starts because I can no longer remote into my home computer from work using LogMeIn. After I found this thread, I decided before I did anything else, to close Chrome, and the ~25 tabs I had open at the time. Within just a few moments, all my internet connections, and other network connections started coming back online. I didn't reboot or anything, I simply closed Chrome and left Chrome closed.

I have been chasing this problem for a while now, trying to narrow down what was using all my TCP/IP ports up. When I would reboot my computer, the first thing I would do was reopen all the windows I previously had open, including all the tabs I was in while using Chrome. I figured this must be when the countdown to all my TCP/IP ports being used up starts, so when I get to 4-6 days in, I start having network/internet port issues. I never realized leaving my internet browser (Chrome) open with several tabs would cause this problem.

Although many of my local network services restored themselves after closing Chrome, it appears my Internet is still not fully functional. It looks like I will still have to either bounce my NIC, or reboot my machine to fully restore functionality. So, although closing Chrome helped, it was not the the only culprit. Something else is still not releasing all my TCP/IP ports.

After I got home I still had to reboot my computer to fully regain Internet connectivity, so all the ports were not released. I still would like to figure out what is doing this, since I run with a ton of stuff open on my work computer, including ~30 open tabs in Chrome, and my computer stays up for a month or more before I reboot it for security updates. My work computer (also Windows 8.1) never has any issues, so the problem on my home computer must be larger than just leaving Chrome open for a few days with a bunch of tabs. My wife's computer (Windows 8.1) is up for weeks at a time with several things open too, yet she never has the issue of running out of TCP/IP ports either.

In all my research I have also read the problem could be attributed to either a bad NIC card, bad network cable, or a need for upgraded NIC drivers on my current NIC. Anyone want to weigh in on this perspective? I don't want to go buy a new NIC arbitrarily without having a better idea of what my issue may be.

To summarize, I am running Windows 8.1 Pro, with all the latest Windows updates. This is my gaming rig, but I also have other things running on it like Steam, Mumble, Trillian Pro, Argus Monitor, Moo0 system monitor, eMClient (email), Chrome, Internet Explorer (Work OWA email), Logitech Gaming Software (keyboard and mouse config software).

I have MalwareBytes Pro loaded with 'real time' protection running. I have run several FULL system scans on my computer, always coming back clean. I have tried three different versions of NIC drivers for my Broadcom NetLink Gigabit Ethernet adapter, and the problem continues to persist.

My next step is to buy a new Intel NIC and install it to see if that stops my issue, unless there is more info I can provide here to assist with a solid diagnosis.

Thanks in advance for any suggestions or feedback.
0
Comment
Question by:EvilPeppard
  • 9
  • 6
  • 2
  • +2
19 Comments
 
LVL 10

Expert Comment

by:tmoore1962
Comment Utility
Netstat -an should give you a list of all tcp port connections.
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 350 total points
Comment Utility
You might see if TCPView will work.  It has a GUI view of netstat.  http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Also you may be exceeding the number of allowed TCP connections.  Here is an article from IBM about changing the number of connections allowed in Windows: http://pic.dhe.ibm.com/infocenter/p8docs/v5r1m0/index.jsp?topic=%2Fcom.ibm.p8.performance.doc%2Fp8ppt015.htm
0
 

Author Comment

by:EvilPeppard
Comment Utility
@tmoore1962:

I know running netstat will give me a list of what TCP ports I have open, but I don't know what to do from there. I'll have the info, but then what? I can see the processes listed in there, but that info really means nothing to me. I am not sure how to interpret it.

I see @DaveBaldwin referred to TCPView, a GUI version of Netstat. Perhaps that will help me understand the netstat results better?


@DaveBaldwin:
I have seen other articles about increasing my TCP ports, but I am more concerned as to why I am running out and what is making me run out. Like I stated originally, my work computer is up for over a month at a time, with significantly more things running on it than my game rig at home, and my work computer NEVER has this Event 4227 issue.

I am more concerned about figuring out why I am running out of ports, and what is using my ports so I can eliminate the problem. I don't want to just increase the amount of ports available without understanding why I am running out on a home computer first.

Please let me know your thoughts. Thank you again for all the feedback.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
The 'why' is probably because you have too much running at once.  I suspect that you don't have as many things running at work as you do at home.  Run TCPView both at home and at work to see what the differences are.

And I don't believe in running computers non-stop unless they are server grade machines.  There are too many programs in Windows that leave trash behind.  It would be informative if the problem stopped when you rebooted daily.  That would probably mean that one or more of your programs are not cleaning up after themselves.
0
 

Author Comment

by:EvilPeppard
Comment Utility
@DaveBaldwin

On the contrary, I run even more on my work machine than I do on my home machine. My game rig is a very high end machine. So is my work rig. My work machine stays up for well over a month with all my applications left open, including ~25+ Chrome tabs, several tabs in IE, and a couple tabs in FireFox, as well as several other programs.

I agree it seems some program is not cleaning up properly. Yes, when I reboot the problem goes away, then after about 4-6 days of uptime, the problem returns and I start seeing Event 4227 logging in my Windows System Log.

In my research I have also read I can clear this message by just bouncing my NIC, meaning disable/enable it, and the issue is supposed to clear up. Microsoft refers to that procedure here: http://technet.microsoft.com/en-us/library/cc735929(v=ws.10).aspx

Although I can quickly recover from running out of TCP ports by following Microsoft's guide, I would prefer to know what is actually causing me to run out of ports on this specific machine so I can either remove the software, or make some other change to prevent it from happening.

I personally like to keep my machines up for as long as possible, and there really should be no reason I cannot do just that. This is the first time I have ever experienced this problem, and since it is isolated to just one machine, there has to be a logical explanation, and resolution.

Thank you again for your assistance and feedback.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
there has to be a logical explanation, and resolution.
Probably but the question sometimes becomes is it worth the time and effort to find it.  You can take two apparently identical computers and find that in the fine details that they are not.  Maybe the ram in one can't run at quite the same temperature as the other or the signal thresholds in the NIC aren't quite the same.
there really should be no reason I cannot do just that.
Sorry but I don't believe that kind of 'should'.  The first computer I used to do some work would reboot if you bumped the table it was on.  Things are a Whole lot better now.  But still not 'perfect'.

You said you run them for a month.  Is updates the only reason you reboot them?  (And today is second Tuesday in Windows land)
0
 
LVL 44

Expert Comment

by:Darr247
Comment Utility
What socket is the Event Log reporting being already taken?

LogMeIn should only be using port 443.

Otherwise, I'd think it had something to do with Win8's new dynamic port range (e.g. http://support.microsoft.com/kb/929851 ).
0
 

Author Comment

by:EvilPeppard
Comment Utility
Well, I installed and ran the TCPView. To be sure I am using it correctly, how should I interpret the red bars? Are those all ports waiting to be used, or are they problem ports?

While watching the TCPView last night, all of a sudden I had literally about 25 or so rows of red, all for IP address 69.167.156.21, which is iNET Interactive - Overclockers.com. Those rows stayed highlighted in red for quite some time, maybe 30 seconds or so. I had a tab open in Chrome to Overclockers.com, so I closed the tab, and all the red rows disappeared, and did not return.

Anyway, I want to know what I should be looking for with TCPView. I see some rows are red, some are green or yellow, and many rows that are not highlighted at all.

@Darr247, the Event log doesn't report a socket being taken, the event states exactly what I posted in my original post. I have a screenshot I will post here as well.
Event-4227---TCP-error.JPG
0
 
LVL 10

Assisted Solution

by:tmoore1962
tmoore1962 earned 150 total points
Comment Utility
Google sysinternals and get process explorer.  Run NETSTAT -o to get a list of port connections and their processes.  Run process explorer add the command line to the columns viewed.  You can now determine what app is running the process and what process is using what port.  One of you applications is connect.  But what I think is happening is that one of the apps that access the internet is dropping the connection and attempting to re-establish connection before the default timeout, don't know if reducing the default will get it in the apps programmed window but here is the basic instructions for XP svr 2003 but should work for 8.
Reduce the client TCP/IP socket connection timeout value from the default value of 240 seconds.  Hope it helps...

a. Start Registry Editor.
b. Browse to, and then click the following key in the registry:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

c. On the Edit menu, click New, DWORD Value, and then add the following registry value to reduce the length of time that a connection stays in the TIME_WAIT state when the connection is being closed. While a connection is in the TIME_WAIT state, the socket pair cannot be reused:

Value name
 
TcpTimedWaitDelay
 
Value data
 
<Enter a decimal value between 30 and 240 here>
 

d. Close Registry Editor.

You must restart your computer for this change to take effect.
 
The valid range of this value is 30 through 300 (decimal). The default value is 240.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:EvilPeppard
Comment Utility
@tmoore1962

Thanks. Any particular reason you suggested the SysInternals Process Explorer over the TCPView?

I have downloaded and configured Process Explorer. These two programs (Process Explorer and TCPView) should help me determine what is causing the problem.

I am going to wait on the registry edit until my machine acts up again, so I hopefully can capture what the problem is. The problem should pop back up any day now.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
I suggested TCPView so you could see how many connections were being used and where the connections were going to.
From the TCPView Help dialog:
By default, TCPView updates every second, but you can use the View|Update Speed menu item to change the rate. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green.
0
 

Author Comment

by:EvilPeppard
Comment Utility
@DaveBladwin

Thanks for the explanation of the color codes in TCPView. I guess I will run these programs once the problem pops up. I still am not quite sure what I am looking for, even now knowing the color codes, though.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
I think that what you are looking for too much stuff... connections and where are they coming from.  Many programs will make multiple connections.  Firefox is likely to make up to 4 connections for each page you have open.  They usually close pretty quick after the page is loaded.  But if the pages are self-updating like Facebooks pages, you could have a bunch of connections opening at once.

Anyway, TCPView and Process Explorer are tools to find what happens when it happens.  Since it's a TCP error, I would think that TCPView is more likely to show what's going on.
0
 
LVL 4

Expert Comment

by:FutureTechSysDOTcom
Comment Utility
Set the computer up to reboot once or twice a week during when you would normally be asleep.
0
 

Author Comment

by:EvilPeppard
Comment Utility
@FutureTechSysDOTcom

I don't want to do that. The point of my computer at home is like my computer at work; to have everything setup and running so I can just unlock my screen and get after it. I don't want to have to reopen everything, re-position windows, log into pages, re-open all my tabs. That all takes time, and is something I never had to do before, and something I do not do on any of my other computers.

Unfortunately, right now I have no choice but to reboot about once per week since my ports get all used up and rebooting was the only way I knew to clear them. I now can just reset my NIC, but still, rebooting just masks the problem, it doesn't help me solve it.

BTW, I have not seen any comments on if it is possible that my NIC may be bad. Can that cause my ports to not get released correctly, or is it all pointing toward some software programs that I should see in TCPView and Process Explorer?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
I don't think your NIC hardware has anything to do with the ports being used up.  Ports are at a software level above the NIC and the NIC knows nothing about ports.
0
 

Author Comment

by:EvilPeppard
Comment Utility
@DaveBaldwin

Ok, thanks for the clarification. I was assuming that too, but wanted to make sure.
0
 

Author Comment

by:EvilPeppard
Comment Utility
I don't have any further updates at this time. I am still waiting for the problem to happen again.
0
 

Author Comment

by:EvilPeppard
Comment Utility
Well, the problem is no longer happening. The issue seems to be coming from a particular website tab I was keeping open in Chrome. One of the tabs I had open was to http://www.overclockers.com/ (owned by iNet Interactive). By leaving that tab open, I would start running out of TCP ports within four days.

When I ran TCPView.exe, I could see a TON of traffic related to this website waiting for ports to close. I no longer keep that tab open and my TCP ports are opening and closing with no issues. Not sure what it is about that particular website, but it was definitely the issue.

After closing that website's tab and no longer keeping it open, my computer was up for 29 days with ZERO issue. I only restarted it because I needed to install some updates.

Thank you again for everyone's help with this issue.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
OfficeMate Freezes on login or does not load after login credentials are input.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now