Detecting ephemeral port exhaustion

Ephemeral ports are range of ports that Windows and Windows Server use for outbound communications over the TCP/IP network protocol. When an outbound connection is finished, the port associated to the connection is put into a TIMED_WAIT state for two minutes by default. This allows any lingering packets on the network to be ignored. Windows Server 2008 and later use the IANA range which uses the ports between 49152 and 65535 providing 16,383 ports.

Some applications and services such as Microsoft Exchange Server CAS servers can be very “chatty” and might actually use all 16,383 ports within a two minute time period. The result is connection failures similar to “Couldn’t connect to X, due to no ports available from the end point mapper”.

If you suspect ephemeral port exhaustion, then consider running the following Powershell script called “Log-EphemeralPortStats.ps1”:
https://skydrive.live.com/redir?resid=E6360C54B48A891B!5328

Warning: This script is provided as sample code only. Please review it and use at your own risk.

This script is designed to run in an infinite loop of 1 minute sleep intervals and write to a log file called “EphemeralPortStats.log”. Here is an example of the output it produces:

Computer       DateTime             LocalAddress  #OfEPortsInUse Max#OfEPorts %EPortUsage #OfTcpListeningPorts #OfPids
--------       --------             ------------  -------------- ------------ ----------- -------------------- -------
ETCHEDCHAMPION 8/9/2013 12:37:42 PM 127.0.0.1                  6        16384           0                   15      11
ETCHEDCHAMPION 8/9/2013 12:37:42 PM 172.18.96.192              3        16384           0                   15      10
ETCHEDCHAMPION 8/9/2013 12:37:42 PM 192.168.1.2               69        16384         0.4                   15      17

This script is intended to be ran from the console of the computer suspected to be running low on ephemeral ports and to leave it running. Periodically review the log to see if there was any ephemeral port exhaustion detected.

This script gets the port range from:

netsh int ipv4 show dynamicportrange tcp

Then, correlates this information with the output of:

netstat –ano –p tcp

PsExec can be potentially used to get this information from remote computers, but keep in mind that passwords used in PsExec are sent in the clear over the network.

My PFE colleagues and customers have used this script quit a bit and I hope it will help you as well.