Jeff here, from the Windows SDK team.
Recently, I had a case involving a client server application. My customer writes software that is deployed to thousands of other
customers and only 2 were having this problem, so it probably wasn’t a code problem. The server side of the application would stop accepting new socket
connections, but would still service existing connections. Networking traces and ETL showed that the server would return a RST packet to every SYN connection
attempt. This only affected the customer’s service, and not SMB or RDP connections.
The customer didn’t have much logging in the accept code, but it was clear that we weren’t getting normal accept requests. It was also
reported that this happened after a network outage that involved a link failover.
After we implemented lots of logging in the accept connection code, we saw that we were receiving Winsock error 10054, WSAECONNRESET,
An existing connection was forcibly closed by the remote host, even though we were the one resetting the connection. After several weeks of troubleshooting,
a quick search returned a very valuable KB article.
An application may receive the “10054” error when the application receives data from a connection on a computer that is running Windows 7 or
Windows Server 2008 R2 if a TDI filter driver is installed, KB 981344.
The customer did have a TDI filter driver installed, TrendMicro OfficeScan, and they were running Windows 2008 R2.
The resolution was to enable the regkey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\TdxPrematureConnectIndDisabled.
A change was made in Vista that prevented us from sending too many connection attempts in a short time through TDI, similar to SYN attack
protection. Enabling this regkey allowed all the simultaneous connections caused by the network outage to reach the server application.
Follow us on Twitter, www.twitter.com/WindowsSDK.