CODEWITHSUNDEEP
windowsnetwork-programmingtcpportnetsh
Liam
Liam

Reputation: 2167

How to see what is reserving ephemeral port ranges on Windows?

I have a Windows application that needs to use ports 50005 and 50006 but it is being blocked.

I see the following when I run netsh int ip show excludedportrange protocol=tcp:

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
5357        5357
49709       49808
49809       49908
49909       50008
50009       50108
50109       50208
50280       50379

* - Administered port exclusions.

So something on my machine is reserving ports 49909 to 50008, which is presumably what is causing my application to fail. I've tried deleting this excludedportrange with the following command:

netsh int ip delete excludedportrange protocol=tcp numberofports=100 startport=49909

But I see an error Access is denied., which makes me think that whatever is reserving this ports is actively running, but I have no idea what that could be.

What's also weird is that after running that command, even though I saw an error, if I reboot the excludedportrange will be different.

As a sanity check I've also run resmon.exe and confirmed that there is nothing running on ports 50005 and 50006.

How can I tell what is adding the excludedportrange?

EDIT: I've narrowed this down to Hyper-V. If I disable Hyper-V then those ports are not excluded.

Upvotes: 100

Views: 44661

Answers (4)

coffeepenbit
coffeepenbit

Reputation: 56

Answer

First, confirm this answers applies to you by running netsh int ipv4 show dynamicport tcp in cmd.exe as admin.

If you see that the problematic port is within one of those ranges, then follow these steps:

  1. Run cmd.exe as admin
  2. Run netsh int ipv4 set dynamic tcp start=49152 num=16383
  3. Restart your machine
  4. Confirm the new dynamic port range netsh int ipv4 show dynamicport tcp

Rationale

The dynamic port range should be 49152-65535

Sources

To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is 49152, and the new default end port is 65535.

Port numbers are assigned in various ways, based on three ranges: System Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private Ports (49152-65535); the different uses of these ranges are described in [RFC6335]

the Dynamic Ports, also known as the Private or Ephemeral Ports, from 49152-65535 (never assigned)

Upvotes: 0

TrustworthySystems
TrustworthySystems

Reputation: 777

Set the Windows "Dynamic Port Range" in a non conflicting place

We managed to contain this problem, for the case where you can not change your ports' needs to other location (like a non configurable application).

When you issue the command:

netsh int ip show excludedportrange protocol=tcp

You get an output with a list of port ranges reserved:

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
     33474       33573
     50000       50059     *
     58159       58258
     58259       58358
     58359       58458
     58459       58558
     58559       58658
     58659       58758
     58759       58858

* - Administered port exclusions.

The most likely reason for this is the Windows Hyper-V (Microsoft's hardware virtualization product) that reserves random port ranges (usually blocks of 100 ports). This becomes a pain, because if you are developing an application or larger solution that uses multiple ports, some times you get a conflict and some times not after rebooting your system.

To lookup for the "Dynamic Port Range" you can issue the command:

netsh int ipv4 show dynamicport tcp

The answer:

Protocol tcp Dynamic Port Range
---------------------------------
Start Port      : 1024
Number of Ports : 64511

You can instruct Windows to modify this range out of the conflicting area.

Let's say your development is under and up to port 60000, you can issue the following command to restrict the dynamic port range out of it (you must have administrator privileges):

netsh int ipv4 set dynamic tcp start=60001 num=5534

To make Hyper-V (and Windows in general) use this new dynamic range you have to reboot your system.

Now if we request the excluded port range:

netsh int ip show excludedportrange protocol=tcp

The response has changed:

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
     50000       50059     *
     63904       64003
     64004       64103
     64105       64204
     64205       64304
     64305       64404
     64405       64504
     64505       64604
     64605       64704

* - Administered port exclusions.

Only the "Administered port exclusions" remains below port 60001

Upvotes: 22

Matteo TeoMan Mangano
Matteo TeoMan Mangano

Reputation: 430

I had the same problem and uninstalled Hyper-V, but the reserver ports were still there. After several attempts I identified Windows Sandbox as the culprit to be disinstalled

Upvotes: 1

Peter V. Mørch
Peter V. Mørch

Reputation: 15927

Investigate and Free the Ports

It appears that Hyper-V reserves random ports (or something Hyper-V related at least). Use netsh int ip show excludedportrange protocol=tcp to confirm that the ports that aren't working are in the output.

This has worked for me to free the ports up. It doesn't seem intrusive to me (25 thumbs up):

This is often caused by the Windows NAT Driver (winnat), stopping and restarting that service may resolve the issue.

net stop winnat
docker start ...
net start winnat

After this the ports were no longer reserved, but my WSL2 terminal no longer had connection to the internet, so I needed to reboot after this to get everything working again.

Reserve the Ports From Now On

If you don't do anything more, you'll likely run into this problem again. So to e.g. reserve ports 9012 and 9013 for your future use (so winnat never tries to use them):

netsh int ipv4 add excludedportrange protocol=tcp startport=9012 numberofports=2

(Thanks @Venryx for reminding me)

Other Approaches

In an answer to a similar question about why docker couldn't open ports (24 thumbs up), this also worked for me:

netcfg -d --this will clean up all networking devices, and requires a reboot

Somebody does warn about it though (4 thumbs up). Your maileage may vary. It worked for me, mostly because I didn't see the following warning until after I ran it successfully....

that (netcfg -d) is dangerous command, it corrupted my docker and it does not start up anymore. Even after reinstalling HyperV. and rebooting machine. It seems that this command removes several network adapters. Also restart does nothing. I had to reset (loose) containers and images but that led me to another issue

another answer to a similar docker question (129 thumbs up) has this, but it seemed much more involed for me, so I didn't try it:

@veqryn the workaround worked for me, the steps are:

  1. Disable hyper-v (which will required a couple of restarts)

    dism.exe /Online /Disable-Feature:Microsoft-Hyper-V

  2. When you finish all the required restarts, reserve the port you want so hyper-v doesn't reserve it back

    netsh int ipv4 add excludedportrange protocol=tcp startport=50051 numberofports=1 store=persistent

  3. Re-Enable hyper-V (which will require a couple of restart)

    dism.exe /Online /Enable-Feature:Microsoft-Hyper-V /All

when your system is back, you will be able to bind to that port successfully.

Upvotes: 95

Related Questions