Mastering TCP Connection States: From Handshake to Backlog Tuning

Network Connection States

Network connection states (11 types) are crucial, covering both the three‑way handshake and the four‑way termination, so they must be well understood.

LISTEN – Passive open; the server creates a socket, binds, listens and blocks on accept() waiting for incoming TCP connection requests.

SYN_SENT – Active open; the client calls connect() , sends a SYN, and enters SYN_SENT while awaiting a SYN+ACK.

SYN_RECV – Server has received the client’s SYN, replies with SYN+ACK, and waits for the client’s ACK; the half‑open connection is placed in the SYN queue (size controlled by tcp_max_syn_backlog ).

ESTABLISHED – Both sides have exchanged SYN, SYN+ACK and ACK; the connection is fully open and data can be transferred.

FIN_WAIT1 – The active closer calls close() , sends FIN and waits for the remote ACK.

CLOSE_WAIT – The passive side has received FIN, acknowledges it, and waits for the application to close.

FIN_WAIT2 – After receiving ACK for its FIN, the active closer waits for the remote FIN.

LAST_ACK – The passive side has sent its FIN+ACK and waits for the final ACK.

TIME_WAIT – After both FINs are exchanged, the active closer stays in TIME_WAIT for 2 MSL to ensure the remote ACK is received.

CLOSING – Rare state waiting for the remote TCP to confirm connection termination.

CLOSED – The connection is fully terminated after the final ACK.

Three‑Way Handshake Process

Client: Sends SYN=J, enters SYN_SENT and waits for the server.

Server: Receives SYN=J, replies with SYN=K and ACK=J+1, enters SYN_RECV.

Client: Receives SYN=K, ACK=J+1, sends ACK=K+1, enters ESTABLISHED.

Server: Receives the ACK and also enters ESTABLISHED; data transfer can now begin.

The handshake also exchanges options such as MSS (maximum segment size) and SACK_PERM (selective acknowledgment) to improve reliability and efficiency.

Half‑Connection and Full‑Connection Queues

Incomplete (SYN) queue: Holds incoming SYN requests until the three‑way handshake completes. Size is controlled by /proc/sys/net/ipv4/tcp_max_syn_backlog (default 2048). cat /proc/sys/net/ipv4/tcp_max_syn_backlog Completed (accept) queue: Holds fully established connections ready for accept(). Default size is 128, limited by somaxconn and the backlog argument of listen(). cat /proc/sys/net/core/somaxconn When the accept queue overflows, the server may drop new connections or, if tcp_abort_on_overflow is set to 1, send a RST to the client.

Common Problems and Diagnostics

If the client receives the final ACK but the server’s accept queue is full, the client believes the connection is established while the server cannot process it, leading to retransmissions and eventual timeout. netstat -s | egrep "listen|LISTEN" Overflow messages appear as:

"times the listen queue of a socket overflowed" (full‑connection queue overflow)

"SYNs to LISTEN sockets ignored" (half‑connection queue overflow)

echo '1' > /proc/sys/net/ipv4/tcp_abort_on_overflow

To view queue lengths: ss -lnt Send‑Q shows the maximum size of the listen (full‑connection) queue; Recv‑Q shows the current usage.

Backlog Details

The connect() call returning does not guarantee a successful TCP connection; the server may have a full accept queue and silently drop the ACK, causing the client to timeout.

Client sends SYN; server places request in the SYN queue.

If the SYN queue is full, the server discards the request and the client retries.

The SYN queue length is set by tcp_max_syn_backlog.

After the server replies with SYN+ACK, the client’s socket moves to the waiting queue.

When the client sends ACK, the connection moves to the accept queue whose size is min(backlog, somaxconn) (default 128, many platforms use 511).

If the accept queue is full, the kernel’s tcp_abort_on_overflow decides whether to drop the connection silently (0) or send RST (1).

ss Command: Recv‑Q and Send‑Q

In LISTEN state, Recv‑Q is the current usage of the full‑connection queue and Send‑Q is the maximum backlog size.

In non‑LISTEN states, Recv‑Q indicates bytes received but not yet read by the application, and Send‑Q indicates bytes waiting for the peer to acknowledge.

# Count TCP states
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
# Count states for a specific PID
netstat -ntap | grep '3141' | awk '{++S[$6]} END {for(a in S) print a, S[a]}'

Linux Kernel TCP/IP Parameters

tcp_abort_on_overflow (default 0) – Determines how to handle a full accept queue: 0 drops the connection, 1 sends RST.

net.core.netdev_max_backlog (default 128) – Maximum number of packets queued when the NIC receives faster than the kernel can process.

net.ipv4.tcp_max_orphans – Limits TCP sockets without an associated user file descriptor to prevent DoS.

net.ipv4.tcp_max_syn_backlog – Maximum half‑open connections (SYN queue size).

net.core.somaxconn – Maximum length of the accept queue (default 128).

net.ipv4.tcp_timestamps – Enables TCP timestamps to avoid sequence‑number reuse.

net.ipv4.tcp_synack_retries – Number of SYN+ACK retransmissions before giving up (default 5).

net.ipv4.tcp_syn_retries – Number of SYN retransmissions before aborting the connection.

net.ipv4.tcp_syncookies – Enables SYN cookies to mitigate SYN‑flood attacks (0 disabled, 1 enabled).

net.ipv4.tcp_tw_reuse and net.ipv4.tcp_tw_recycle – Control reuse and fast recycling of TIME_WAIT sockets.

net.ipv4.tcp_fin_timeout – Timeout for sockets in FIN_WAIT‑2 (default 2 MSL).

net.ipv4.tcp_keepalive_time – Interval for TCP keepalive probes (default 2 hours).

net.ipv4.ip_local_port_range – Range of ports used for outbound connections (default 1024‑65000).

net.ipv4.tcp_max_tw_buckets – Maximum number of TIME_WAIT sockets (default 180000, often reduced to 5000 for high‑performance servers).