If a Windows server has several thousand ports open in LAST_ACK
state (as shown by netstat), what could this mean? Is it because one endpoint is waiting for the other to respond?
If a Windows server has several thousand ports open in LAST_ACK
state (as shown by netstat), what could this mean? Is it because one endpoint is waiting for the other to respond?
The last_ack state (if I recall my TCP stack correctly) is the state when you have received your FIN message to close the connection from your neighbour, but you still need to flush and shut down your connection. You send the final FIN yourself and wait for an ACK.
Typically hanging in last_ack means your application keeps a socket open even when the the other end has finished sending data. This can happen for multiple reasons. There might be a firewall or other load balancer which loses last ACK from the client, and leaves you stuck in the last_ack state. If the connections are not timed out after a few minutes (10 or so) you probably have a bug.
Have a look at the state diagram at http://tangentsoft.net/wskfaq/articles/debugging-tcp.html
LAST_ACK means your end has received a FIN from the peer, sent an ACK, sent a FIN, and is waiting for the final ACK from the peer. At this point there is nothing further the application can do: the socket is closed. The application may even have exited. From here on it is up to TCP to resend the FIN until it gets the final ACK, or time out doing so. Not much you can do as an admin except investigate the network.
LAST_ACK is the last state right before closing the down the TCP connection.
I believe that @lmo is correct in saying that it's "the last state right before closing down the TCP connection," but in addition to this, based on my reading of the wikipedia page, it's worth noting that this is not part of the "Active Close" mechanism that (in my understanding) is the ending of most well-behaved connections, but rather part of the "Passive Close" sequence, which is presumably associated with Bad Stuff Happening.
(FWIW, I'm languages, not networks. I'd be happy for clarification from a networks person.)