Jaa


Things that you may want to know about TCP Keepalives

Hi,

In this blog entry, I will be discussing TCP keepalive mechanism and will also provide some information about configuration options on Windows systems.

a) Definition

Let's first understand the mechanism. A TCP keep-alive packet is simply an ACK with the sequence number set to one less than the current sequence number for the connection. A host receiving one of these ACKs responds with an ACK for the current sequence number. Keep-alives can be used to verify that the computer at the remote end of a connection is still available. TCP keep-alives can be sent once every KeepAliveTime (defaults to 7,200,000 milliseconds or two hours) if no other data or higher-level keep-alives have been carried over the TCP connection. If there is no response to a keep-alive, it is repeated once every KeepAliveInterval seconds. KeepAliveInterval defaults to 1 second. NetBT connections, such as those used by other Microsoft networking components, send NetBIOS keep-alives more frequently, so normally no TCP keep-alives are sent on a NetBIOS connection. TCP keep-alives are disabled by default, but Windows Sockets applications can use the setsockopt() function to enable them.

b) Configuration

Now let's talk a little bit about configuration options. There're 3 registry keys where you can affect TCP Keepalive mechanism on Windows systems:

KeepAliveInterval
Key: Tcpip\Parameters
Value Type: REG_DWORD-time in milliseconds
Valid Range: 1-0xFFFFFFFF
Default: 1000 (one second)
Description: This parameter determines the interval between TCP keep-alive retransmissions until a response is received. Once a response is received, the delay until the next keep-alive transmission is again controlled by the value of KeepAliveTime. The connection is aborted after the number of retransmissions specified by TcpMaxDataRetransmissions have gone unanswered.

Notes:
TCPIP driver waits for a TCP Keepalive ACK for the duration of time specified in this registry entry.

KeepAliveTime
Key: Tcpip\Parameters
Value Type: REG_DWORD-time in milliseconds
Valid Range: 1-0xFFFFFFFF
Default: 7,200,000 (two hours)
Description: The parameter controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by an application

Notes:
In order for a TCP session to stay idle, there should be no data sent or received.

c) If OS is Windows XP/2003 the following registry entry applies:

TcpMaxDataRetransmissions
Key: Tcpip\Parameters
Value Type: REG_DWORD-number
Valid Range: 0-0xFFFFFFFF
Default: 5
Description: This parameter controls the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The Retransmission Timeout (RTO) value is dynamically adjusted, using the historical measured round-trip time (Smoothed Round Trip Time) on each connection. The starting RTO on a new connection is controlled by the TcpInitialRtt registry value.

Notes:
This registry entry determines the number of TCP retransmissions for an individual TCP segment. There's no special registry entry to determine the retransmission behavior of TCP Keepalives and this registry entry is also used for the TCP keepalive scenario.

Important note: If OS is Windows Vista/2008, the number of TCP Keepalive attempts are hardcoded to 10 and could not be adjusted via the registry.

d) Some special considerations

=> Even if TCP KeepaliveTime and TCPKeepAliveInterval registry keys are set to a specific value (TCPIP driver uses the deafult values even if we don't set these registry keys from the registry), TCPIP driver won't start sending TCP Keepalives until Keepalives are enabled via various methods at upper layers (layers above TCPIP driver).

=> Native Socket applications can enable TCP keepalives by using anyone of the following methods:

- setsockopt() with SO_KEEPALIVE option
- WSAIoctl() with SIO_KEEPALIVE_VALS option (it's also possible to change Keepalive timers with this API call dynamically on a per-socket basis)

=> Managed applications (.NET), can use one of the following methods:

- SetSocketOption method from Socket Class in System.Net.Sockets namespace
- GetSocketOption method from Socket Class in System.Net.Sockets namespace

=> Effect of using Keepalives on bandwidth usage

Since TCP Keepalives are TCP segments without data (and the SEQ number set to one less than the current SEQ number), Keepalive usage bandwidth usage can simply be neglected. There's an example below to give an idea about how big a TCP Keepalive packet could be:

- 14 bytes (L2 header - Assuming that Ethernet protocol is used. This could be even lower for other WAN protocols like PPP/HDLC/etc)
- 20 bytes (IP header - assuming no IP options are used)
- 20 bytes (TCP header - assuming no TCP options are used)

Total: ~54 bytes

Even if TCP Keepalive interval is set to 5 minutes or so (default is 2 hours), given that TCP connection goes idle, TCPIP driver will send a ~54 TCP Keepalive message every 5 minutes and as can be seen it could simply be neglected.

You may also find some references below:

References
=============================
https://www.microsoft.com/downloads/details.aspx?FamilyID=06c60bfe-4d37-4f50-8587-8b68d32fa6ee&displaylang=en
Microsoft Windows Server 2003 TCP/IP Implementation Details

https://www.microsoft.com/downloads/details.aspx?FamilyId=12AC9780-17B5-480C-AEF7-5C0BDE9060B0&displaylang=en
TCP/IP Registry Values for Microsoft Windows Vista and Windows Server 2008

https://msdn.microsoft.com/en-us/library/ms740476(VS.85).aspx setsockopt Function
https://msdn.microsoft.com/en-us/library/ms741621(VS.85).aspx WSAIoctl Function
https://msdn.microsoft.com/en-us/library/system.net.sockets.socket.setsocketoption.aspx Socket..::.SetSocketOption Method
https://msdn.microsoft.com/en-us/library/system.net.sockets.socket.getsocketoption.aspx Socket..::.GetSocketOption Method

Hope this helps.

Thanks,
Murat

Comments

  • Anonymous
    January 01, 2003
    Thank you for the feedback Ravindra. There could be some misleading information in some documentations, if you could send me Microsoft links for those documents that you refer to, I can internally initiate change request. Back to how it works in Windows Vista onwards, you can also get more information at the below link: msdn.microsoft.com/.../ee470551(VS.85).aspx  SO_KEEPALIVE Socket Option ... On Windows Vista and later, the number of keep-alive probes (data retransmissions) is set to 10 and cannot be changed. ... Thanks, Murat

  • Anonymous
    July 19, 2010
    Microsoft security guides for Vista, Windows 7 , 2008 and 2008 R2 recommend a value of 3 for the TcpMaxdataRetransmissions key.  This key is also mentioned in the TCP/IP Registry Values for Microsoft Windows Vista and Windows Server 2008 document and it also has the same recommendation. However your note above  "Important note: If OS is Windows Vista/2008, the number of TCP Keepalive attempts are hardcoded to 10 and could not be adjusted via the registry. " , what does this mean. Is there some error somewhere. Please advise. Thanks.

  • Anonymous
    December 16, 2013
    Pingback from TCP KEEP ALIVE | Cceye's Blog space

  • Anonymous
    December 16, 2013
    Pingback from Bad boy TCP KEEP ALIVE | Cceye's Blog space

  • Anonymous
    March 04, 2014
    One issue I run into time and time again when I do a network assessment for customers using Office 365

  • Anonymous
    April 02, 2014
    For windows sockets are tcp keep alives enabled by default ?

    What about for WinHTTP conversations that use windows sockets under the covers ?

    Thanks,

    Bill

  • Anonymous
    March 16, 2015
    Will it have any negative impact if i change "TcpMaxDataRetransmissions" to 5-6 as of now it is set to 3 (Default) and dont want to change keepalivetime which is set to 300000.

    Thanks,
    Tahir

  • Anonymous
    May 01, 2015
    Hi Tahir,
    This may impact on DHCP client service starting issue. It will stop DHCP client service and will not allowed you to restart it.

  • Anonymous
    May 21, 2015
    Hi,
    Thanks for your article. This Microsoft Support article says "TcpMaxDataRetransmissions" Registry is there in Windows 2008 R2. Please check


    https://support.microsoft.com/en-us/kb/170359?wa=wsignin1.0

  • Anonymous
    December 16, 2015
    Which value of "Keepalivetime" is recommendet to be set on Windows 2008 R2 Domain Controllers and Exchange 2010 servers for good working? Shall we have any trouble, if it is set to 300000 (5 min) recommended by security issues .

  • Anonymous
    January 15, 2016
    How can we check if these keys are working?

  • Anonymous
    April 04, 2016
    It was written "Important note: If OS is Windows Vista/2008, the number of TCP Keepalive attempts are hardcoded to 10 and could not be adjusted via the registry. " . What about newer Windows version Windows 2012 R2? I googled and could not find anything specific about these configurations for Windows 2012.

  • Anonymous
    December 19, 2017
    The article gives a relative path to the registry entries as "Tcpip\Parameters". In case anyone is looking for the full absolute path (like I was) I believe that it is: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters