Master TCP Handshake & Teardown: Linux TIME_WAIT Tuning Explained

TCP Connection Basics

The TCP protocol establishes a reliable connection using a three‑way handshake: the client sends a SYN packet, the server replies with SYN‑ACK, and the client completes the handshake with an ACK. Once the handshake succeeds, data can be exchanged between the two endpoints.

Connection Termination

Closing a TCP connection involves a four‑step termination (often called a four‑way handshake). Either side can initiate termination by sending a FIN packet. The peer acknowledges with an ACK and, if it still has data to send, continues to use the socket before sending its own FIN. The initiator then enters FIN_WAIT states, and after receiving the final ACK it moves to TIME_WAIT for a duration of 2 MSL (Maximum Segment Lifetime) to ensure delayed packets are discarded.

TIME_WAIT Implications

When many connections enter TIME_WAIT, the number of sockets in this state can become large, as shown by the netstat output below. Excessive TIME_WAIT sockets consume kernel resources and may limit the number of concurrent connections, especially on high‑traffic web servers.

# netstat -an | awk '/^tcp/ {++State[$NF]}END{for(key in State)print key "\t" State[key]}'
LAST_ACK	7
LISTEN	9
SYN_RECV	2
CLOSE_WAIT	125
ESTABLISHED	1070
FIN_WAIT1	17
FIN_WAIT2	247
CLOSING	4
TIME_WAIT	25087

Linux Kernel Tuning to Reduce TIME_WAIT

Adjusting several net.ipv4 sysctl parameters can mitigate the impact of many TIME_WAIT sockets:

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65000

tcp_syncookies enables SYN cookies to protect against SYN‑flood attacks. tcp_tw_reuse allows sockets in TIME_WAIT to be reused for new connections, while tcp_tw_recycle speeds up the cleanup of TIME_WAIT sockets (note: it should be disabled in NAT environments). tcp_max_tw_buckets limits the maximum number of TIME_WAIT sockets; lowering it helps prevent resource exhaustion on servers like Apache or Nginx. tcp_max_syn_backlog enlarges the SYN queue to handle more pending connections, and tcp_keepalive_time reduces the interval between keepalive probes. Finally, expanding ip_local_port_range provides a larger pool of client ports.

Resulting Socket State After Tuning

Running the same netstat command after applying the above settings typically shows a dramatically lower TIME_WAIT count, as illustrated below:

# netstat -an | awk '/^tcp/ {++State[$NF]}END{for(key in State)print key "\t" State[key]}'
LAST_ACK	140
LISTEN	9
SYN_RECV	7
CLOSE_WAIT	2
ESTABLISHED	972
FIN_WAIT1	21
FIN_WAIT2	152
CLOSING	2
TIME_WAIT	682

By understanding the handshake and teardown mechanisms and applying appropriate kernel parameters, administrators can keep TCP socket usage efficient and avoid performance degradation caused by an overload of TIME_WAIT sockets.