Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5024: Large number of CLOSE_WAIT connections for lsass.exe on DC

Authentication Service ,  

26 December,14 at 09:45 PM

Problem:
A large number of connections, mostly for port 88 in the CLOSE_WAIT state are being seen on the DC tied to the lsass.exe process. Connections on the Linux side timeout in FIN-WAIT-1 state. 

Information:
 It is the DC side that is waiting for its application to close socket to transition to LAST_ACK. but the close() call never came. 
Research into the into the CLOSE_WAIT status on the DC we found lots of CLOSE_WAIT complaints on internet for MS. 
Please see the following non Centrify link for information on this issue specifically for Kerberos: 
https://social.technet.microsoft.com/Forums/en-US/ebecd16b-5d24-4782-a473-ca49771b1e3a/hundreds-of-closewait-tcp-states-kerberos?forum=winserverDS 

Resolution:
This is a known issue with MS and we respectfully request you contact MS support to see what they advise as corrective action. 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-24357: Can the number of listed Domain Controllers in the krb5.conf file be limited? articleKB-6041: How to show current license type in use by adclient articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS article[LABS] Setting-up the MFA for Servers feature of Centrify Server Suite 2016 article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-3410: Setting adclient.server.try.max: 0 does not bring adclient to Disconnected mode as described in Centrify Agent version 5.1.1 articleKB-3925: How to add Centrify parameter to a group policy