Computer NetworksTCP Protocol

Connection Termination

LevelIntermediate

Duration75 mins

TopicTCP Protocol

1 / 1

Four-Way Handshake

The Art of Saying Goodbye in TCP

In human communication, ending a conversation gracefully requires mutual acknowledgment—a simple "goodbye" from one party and a corresponding acknowledgment from the other. In the world of TCP, with its unwavering commitment to reliability, ending a connection is far more ceremonial and deliberate than starting one.

While the TCP three-way handshake establishes connections with elegant efficiency, connection termination demands a four-way handshake—an intentionally asymmetric process that ensures both parties have completed their data transfer, acknowledged all outstanding segments, and can safely release connection resources without losing a single byte.

This asymmetry isn't accidental. It reflects a profound architectural decision: connections are bidirectional, and each direction must be closed independently. This page explores the four-way handshake in exhaustive detail, revealing why TCP's designers chose this approach and how it guarantees the reliability that TCP promises.

What You Will Learn

By the end of this page, you will understand the complete four-way handshake mechanism, including the purpose of each message, the state transitions involved, the timing considerations, and why TCP requires four segments to terminate what took only three to establish. You'll gain the depth expected of a principal engineer diagnosing connection teardown issues in production systems.

Understanding Connection Termination

Why is termination different from establishment?

TCP connection establishment uses three segments (SYN, SYN-ACK, ACK) to synchronize both endpoints and establish bidirectional communication. This works efficiently because both sides can piggyback their acknowledgments and synchronization in combined messages.

Connection termination, however, faces a fundamental asymmetry: either endpoint can initiate closure independently, and the other endpoint may still have data to send. This creates the need for a four-segment exchange.

The Bidirectional Nature of TCP

A TCP connection consists of two independent, unidirectional data streams:

Client → Server stream: Data flows from client to server
Server → Client stream: Data flows from server to client

Each stream must be closed separately. When the client finishes sending data, it closes its outbound stream, but the server may still be transmitting. The four-way handshake respects this independence.

Connection vs. Connection Stream

A critical distinction: closing a TCP connection means closing both streams. The four-way handshake ensures each stream is closed with proper acknowledgment, guaranteeing that all data in transit is delivered before resources are released.

The Four Segments Explained

The four-way handshake consists of:

FIN from Initiator: "I have finished sending data"
ACK from Receiver: "I acknowledge your finish"
FIN from Receiver: "I have also finished sending data"
ACK from Initiator: "I acknowledge your finish"

Each FIN closes one direction of data flow. Each ACK confirms receipt of that closure. Together, they ensure both parties agree that communication has ended.

The Complete Four-Way Handshake Flow

Let's trace through the four-way handshake step by step, examining the precise sequence of events, the TCP header flags involved, and the state transitions at each endpoint.

Initial State: ESTABLISHED

Both client and server are in the ESTABLISHED state. Data can flow in both directions. Either party can initiate connection termination; for this example, we'll assume the client initiates.

Step 1: Client Sends FIN (Active Close)

The client application calls close() on the socket. The TCP stack responds by:

Setting the FIN (Finish) flag in the TCP header
Including the client's current sequence number
Transitioning to the FIN_WAIT_1 state
The client can no longer send data (but can still receive)

Step 1: Client FIN Segment
Field	Value	Significance
Source Port	Client's ephemeral port	Identifies sending application
Destination Port	Server's service port	Identifies receiving application
Sequence Number	X	Last byte sent + 1 (FIN consumes one sequence number)
Acknowledgment Number	Y	Next expected byte from server
Flags	FIN, ACK	FIN indicates end of data; ACK for previous data
Window Size	Client's receive window	Still relevant for incoming data

Step 2: Server Sends ACK (Passive Close Initiated)

Upon receiving the FIN, the server's TCP stack:

Acknowledges the FIN by adding 1 to the received sequence number
Transitions to the CLOSE_WAIT state
Notifies the server application that the client has finished sending
The server can still send data to the client

Step 2: Server ACK Segment
Field	Value	Significance
Source Port	Server's service port	Response from server
Destination Port	Client's ephemeral port	Directed to client
Sequence Number	Y	Server's current sequence number
Acknowledgment Number	X + 1	Acknowledges client's FIN
Flags	ACK	Acknowledges the FIN segment
Window Size	Server's receive window	Buffer space available

The CLOSE_WAIT State

After sending the ACK, the server enters CLOSE_WAIT. This is a waiting state—the server application must explicitly close its end of the connection. If the application fails to do so (due to bugs or resource leaks), connections can accumulate in CLOSE_WAIT indefinitely, consuming system resources. Monitoring CLOSE_WAIT counts is essential for production health.

Client State Transition: FIN_WAIT_1 → FIN_WAIT_2

When the client receives the server's ACK for its FIN:

The client transitions from FIN_WAIT_1 to FIN_WAIT_2
The client's outbound stream is now officially closed
The client waits for the server's FIN

Step 3: Server Sends FIN

When the server application finishes sending data and calls close():

The server's TCP stack sends a FIN segment
Server transitions from CLOSE_WAIT to LAST_ACK
Server waits for final acknowledgment

Step 3: Server FIN Segment
Field	Value	Significance
Source Port	Server's service port	Server closing its stream
Destination Port	Client's ephemeral port	To the initiating client
Sequence Number	Y (or Y + n if data was sent)	Server's final sequence number
Acknowledgment Number	X + 1	Maintains acknowledgment
Flags	FIN, ACK	Server's finish signal
Window Size	Server's receive window	Still included per protocol

Step 4: Client Sends Final ACK

Upon receiving the server's FIN:

Client acknowledges by adding 1 to the server's final sequence number
Client transitions from FIN_WAIT_2 to TIME_WAIT
Client starts the 2MSL timer
After 2MSL expires, client transitions to CLOSED

Step 4: Client Final ACK
Field	Value	Significance
Source Port	Client's ephemeral port	Final response
Destination Port	Server's service port	Completing handshake
Sequence Number	X + 1	Client's sequence (unchanged)
Acknowledgment Number	Y + 1 (or Y + n + 1)	Acknowledges server's FIN
Flags	ACK	Final acknowledgment
Window Size	Client's receive window	Standard header field

Server's Final State: CLOSED

Upon receiving the final ACK, the server immediately transitions from LAST_ACK to CLOSED. The server doesn't enter TIME_WAIT—only the active closer (initiator) does. This asymmetry has important implications for server design and port reuse.

Visualizing the Four-Way Handshake

Converting Mermaid diagram...

Key Observations from the Diagram

Asymmetric Timing: The server can delay its FIN arbitrarily while finishing data transmission. The time between steps 2 and 3 can range from microseconds to minutes.
State Differences: The client goes through FIN_WAIT_1 → FIN_WAIT_2 → TIME_WAIT → CLOSED, while the server goes through CLOSE_WAIT → LAST_ACK → CLOSED.
Who Waits: Only the active closer (initiator) enters TIME_WAIT. The passive closer goes directly to CLOSED after receiving the final ACK.
Sequence Number Consumption: Each FIN consumes exactly one sequence number, which is why acknowledgments increment by 1 even though no data is transmitted.

Why Four Segments Are Necessary

A natural question arises: Why can't we combine the server's ACK and FIN into a single segment, reducing termination to three segments?

The answer lies in the nature of application behavior and the separation between acknowledging reception and being ready to close.

Scenario Analysis

Consider a web server handling an HTTP request:

Client sends request, then wants to close its send stream (FIN)
Server receives the FIN and acknowledges it (ACK) immediately
Server is still processing the request and generating the response
Server continues sending response data
Server finishes sending and closes its stream (FIN)

In this scenario, the server's ACK and FIN cannot be combined because there's application work between them. The ACK is sent immediately by the TCP stack, but the FIN is only sent when the application explicitly closes the socket.

The Piggybacking Optimization

If the server application closes immediately upon receiving the client's FIN (no pending data), the server's ACK and FIN CAN be combined into a single segment. This reduces the handshake to three segments but is a special case, not the general rule. TCP must handle the general case where they cannot be combined.

When 3-Segment Termination Works

•Server has no pending response data
•Application immediately calls close()
•ACK and FIN can be sent together
•Reduces network round trips
•TCP stack optimizes when possible

When 4-Segment Termination Required

•Server still processing/generating data
•Application delays before calling close()
•Half-close semantics utilized
•Streaming responses in progress
•Most real-world scenarios

The Separation of Concerns Principle

TCP's design separates several concerns:

Transport layer acknowledgment (ACK): "I received your segment" — handled by TCP stack
Application layer completion (FIN): "I'm done sending" — controlled by application
Connection state management: Tracking progress through state machine

This separation ensures that TCP can acknowledge receipt immediately (essential for flow control and retransmission) while allowing applications arbitrary time to complete their work before signaling closure.

State Machine Deep Dive

Understanding the TCP state machine is essential for debugging connection issues in production. Let's examine each state involved in connection termination in detail.

FIN_WAIT_1: Initiator Awaiting ACK

When the initiating endpoint sends a FIN:

Transitions to FIN_WAIT_1
Waits for ACK of its FIN
Can still receive data from the peer
Retransmits FIN if no ACK received within RTO
Normal duration: one round-trip time

FIN_WAIT_1 State Details
Attribute	Description
Entry Trigger	Application calls close() or shutdown(SHUT_WR)
Exit to FIN_WAIT_2	Receive ACK for our FIN
Exit to TIME_WAIT	Receive FIN+ACK simultaneously (rare)
Exit to CLOSING	Receive peer's FIN before our ACK
Stuck Symptoms	Peer not responding; possible network partition

FIN_WAIT_2: Initiator Awaiting Peer's FIN

After receiving ACK for its FIN:

Transitions to FIN_WAIT_2
Outbound stream is closed, inbound open
Waiting for peer to close its stream
Can receive data (half-close mode)
No timeout by default (RFC 793)

FIN_WAIT_2 Dangers

FIN_WAIT_2 has no standard timeout. If the peer never sends FIN (application bug, crash, or intentional delay), the connection remains in FIN_WAIT_2 forever, leaking resources. Many operating systems implement non-standard timeouts (e.g., Linux: tcp_fin_timeout, typically 60 seconds) to prevent this.

CLOSE_WAIT: Passive Closer Awaiting Application Close

When a peer's FIN is received:

TCP acknowledges the FIN automatically
Transitions to CLOSE_WAIT
Application is notified (EOF on read)
Application may continue sending data
Stays here until application calls close()

CLOSE_WAIT State Details
Attribute	Description
Entry Trigger	Receive FIN from peer while in ESTABLISHED
Exit to LAST_ACK	Application calls close(), TCP sends FIN
Duration	Unlimited—until application acts
Monitoring Importance	High; accumulation indicates application bugs
Common Cause of Leaks	Unclosed sockets in server applications

LAST_ACK: Passive Closer Awaiting Final ACK

After sending its FIN:

Transitions to LAST_ACK
Waiting for ACK of its FIN
Will retransmit FIN if ACK not received
Upon receiving ACK, transitions directly to CLOSED

TIME_WAIT: The Final Waiting Period

After sending the final ACK:

Active closer transitions to TIME_WAIT
Waits for 2 × MSL (Maximum Segment Lifetime)
Prevents delayed segment confusion
Can respond to retransmitted FINs
Resources held but connection closed

State Machine Summary

•Active Closer Path: ESTABLISHED → FIN_WAIT_1 → FIN_WAIT_2 → TIME_WAIT → CLOSED
•Passive Closer Path: ESTABLISHED → CLOSE_WAIT → LAST_ACK → CLOSED
•Simultaneous Close Path: ESTABLISHED → FIN_WAIT_1 → CLOSING → TIME_WAIT → CLOSED
•Key Insight: Only the active closer enters TIME_WAIT

Simultaneous Close

What happens when both endpoints decide to close at exactly the same time? TCP handles this gracefully through a mechanism called simultaneous close.

The Scenario

Both applications call close() at roughly the same time
Both endpoints send FIN segments
Both FINs cross in the network
Each endpoint receives the peer's FIN instead of an ACK

The State Transitions

Both endpoints:

Start in ESTABLISHED
Send FIN, enter FIN_WAIT_1
Receive peer's FIN while in FIN_WAIT_1
Send ACK, enter CLOSING (a special state for simultaneous close)
Receive ACK of their FIN
Enter TIME_WAIT
After 2MSL, enter CLOSED

Converting Mermaid diagram...

The CLOSING State

The CLOSING state exists only for simultaneous close. It represents a situation where both endpoints have sent FINs but neither has received the ACK for their FIN yet. Upon receiving the ACK, the endpoint transitions to TIME_WAIT, not directly to CLOSED.

Key Observations

Both Enter TIME_WAIT: Unlike normal close where only the active closer enters TIME_WAIT, simultaneous close puts both endpoints in TIME_WAIT.
Four Segments Total: Despite being simultaneous, the handshake still requires four segments—two FINs and two ACKs.
Rare in Practice: Simultaneous close is uncommon in real applications but TCP must handle it correctly.
Protocol Correctness: This scenario demonstrates TCP's state machine completeness—it handles all possible timing scenarios gracefully.

Implementation Considerations

Understanding the four-way handshake has significant implications for application development and system administration.

Application Patterns

When closing sockets, applications have several options:

Socket Closing Options
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
// Option 1: Standard close - initiates four-way handshake
close(socket_fd);
 
// Option 2: Half-close - close only send direction
shutdown(socket_fd, SHUT_WR);  // Sends FIN, can still receive
// ... receive remaining data from peer ...
close(socket_fd);
 
// Option 3: Shutdown both directions then close
shutdown(socket_fd, SHUT_RDWR);  // Signals both directions
close(socket_fd);
 
// Option 4: Abortive close - sends RST instead of FIN
struct linger so_linger;
so_linger.l_onoff = 1;
so_linger.l_linger = 0;
setsockopt(socket_fd, SOL_SOCKET, SO_LINGER, 
           &so_linger, sizeof(so_linger));
close(socket_fd);  // Sends RST, no four-way handshake

Monitoring Connection States

System administrators should regularly monitor TCP states to detect potential issues:

Monitoring Commands

# View all TCP connections and their states
ss -tan
 
# Count connections by state
ss -s
 
# Watch for CLOSE_WAIT accumulation (indicates app bugs)
ss -tan state close-wait | wc -l
 
# Watch for TIME_WAIT accumulation (high connection churn)
ss -tan state time-wait | wc -l
 
# Detailed connection info including timers
ss -tnoe
 
# Using netstat (older but portable)
netstat -an | grep -E '(State|ESTABLISHED|CLOSE_WAIT|TIME_WAIT)'

Production Alert Thresholds

Set monitoring alerts for: CLOSE_WAIT > 100 (application socket leak), TIME_WAIT > 10,000 (may need tuning for high-traffic servers), FIN_WAIT_2 > 50 with long durations (peer application issues). These thresholds depend on your specific workload.

Summary: Four-Way Handshake

The four-way handshake is TCP's solution to the fundamental challenge of reliably closing a bidirectional connection. Let's consolidate the key concepts:

Key Takeaways

•Four segments required — Each direction closes independently, requiring FIN and ACK for each (total: 4 segments)
•Active vs. Passive close — The initiator (active closer) and responder (passive closer) follow different state paths
•State transitions matter — Understanding FIN_WAIT_1/2, CLOSE_WAIT, LAST_ACK, and TIME_WAIT is essential for debugging
•Simultaneous close is handled — TCP's state machine gracefully handles both sides closing at once
•TIME_WAIT is intentional — Only the active closer enters TIME_WAIT, preventing delayed segment confusion
•CLOSE_WAIT requires application action — Accumulation indicates socket leaks in applications

What's Next

Now that we understand the complete four-way handshake flow, the next page examines the FIN and ACK segments in detail—their precise encoding in TCP headers, their role as control signals, and the nuances of their handling by TCP implementations.

Page Complete

You now understand the four-way handshake mechanism in depth—the complete message flow, state transitions, timing considerations, and why TCP requires this deliberate process for reliable connection termination. Next, we'll examine the FIN and ACK control segments in detail.

1 / 1

Loading learning content...

Computer NetworksTCP Protocol

Connection Termination

LevelIntermediate

Duration75 mins

TopicTCP Protocol

1 / 1

Four-Way Handshake

The Art of Saying Goodbye in TCP

What You Will Learn

Understanding Connection Termination

Why is termination different from establishment?

The Bidirectional Nature of TCP

A TCP connection consists of two independent, unidirectional data streams:

Client → Server stream: Data flows from client to server
Server → Client stream: Data flows from server to client

Connection vs. Connection Stream

The Four Segments Explained

The four-way handshake consists of:

FIN from Initiator: "I have finished sending data"
ACK from Receiver: "I acknowledge your finish"
FIN from Receiver: "I have also finished sending data"
ACK from Initiator: "I acknowledge your finish"

Each FIN closes one direction of data flow. Each ACK confirms receipt of that closure. Together, they ensure both parties agree that communication has ended.

The Complete Four-Way Handshake Flow

Let's trace through the four-way handshake step by step, examining the precise sequence of events, the TCP header flags involved, and the state transitions at each endpoint.

Initial State: ESTABLISHED

Both client and server are in the ESTABLISHED state. Data can flow in both directions. Either party can initiate connection termination; for this example, we'll assume the client initiates.

Step 1: Client Sends FIN (Active Close)

The client application calls close() on the socket. The TCP stack responds by:

Setting the FIN (Finish) flag in the TCP header
Including the client's current sequence number
Transitioning to the FIN_WAIT_1 state
The client can no longer send data (but can still receive)

Step 1: Client FIN Segment
Field	Value	Significance
Source Port	Client's ephemeral port	Identifies sending application
Destination Port	Server's service port	Identifies receiving application
Sequence Number	X	Last byte sent + 1 (FIN consumes one sequence number)
Acknowledgment Number	Y	Next expected byte from server
Flags	FIN, ACK	FIN indicates end of data; ACK for previous data
Window Size	Client's receive window	Still relevant for incoming data

Step 2: Server Sends ACK (Passive Close Initiated)

Upon receiving the FIN, the server's TCP stack:

Acknowledges the FIN by adding 1 to the received sequence number
Transitions to the CLOSE_WAIT state
Notifies the server application that the client has finished sending
The server can still send data to the client

Step 2: Server ACK Segment
Field	Value	Significance
Source Port	Server's service port	Response from server
Destination Port	Client's ephemeral port	Directed to client
Sequence Number	Y	Server's current sequence number
Acknowledgment Number	X + 1	Acknowledges client's FIN
Flags	ACK	Acknowledges the FIN segment
Window Size	Server's receive window	Buffer space available

The CLOSE_WAIT State

Client State Transition: FIN_WAIT_1 → FIN_WAIT_2

When the client receives the server's ACK for its FIN:

The client transitions from FIN_WAIT_1 to FIN_WAIT_2
The client's outbound stream is now officially closed
The client waits for the server's FIN

Step 3: Server Sends FIN

When the server application finishes sending data and calls close():

The server's TCP stack sends a FIN segment
Server transitions from CLOSE_WAIT to LAST_ACK
Server waits for final acknowledgment

Step 3: Server FIN Segment
Field	Value	Significance
Source Port	Server's service port	Server closing its stream
Destination Port	Client's ephemeral port	To the initiating client
Sequence Number	Y (or Y + n if data was sent)	Server's final sequence number
Acknowledgment Number	X + 1	Maintains acknowledgment
Flags	FIN, ACK	Server's finish signal
Window Size	Server's receive window	Still included per protocol

Step 4: Client Sends Final ACK

Upon receiving the server's FIN:

Client acknowledges by adding 1 to the server's final sequence number
Client transitions from FIN_WAIT_2 to TIME_WAIT
Client starts the 2MSL timer
After 2MSL expires, client transitions to CLOSED

Step 4: Client Final ACK
Field	Value	Significance
Source Port	Client's ephemeral port	Final response
Destination Port	Server's service port	Completing handshake
Sequence Number	X + 1	Client's sequence (unchanged)
Acknowledgment Number	Y + 1 (or Y + n + 1)	Acknowledges server's FIN
Flags	ACK	Final acknowledgment
Window Size	Client's receive window	Standard header field

Server's Final State: CLOSED

Visualizing the Four-Way Handshake

Converting Mermaid diagram...

Key Observations from the Diagram

Asymmetric Timing: The server can delay its FIN arbitrarily while finishing data transmission. The time between steps 2 and 3 can range from microseconds to minutes.
State Differences: The client goes through FIN_WAIT_1 → FIN_WAIT_2 → TIME_WAIT → CLOSED, while the server goes through CLOSE_WAIT → LAST_ACK → CLOSED.
Who Waits: Only the active closer (initiator) enters TIME_WAIT. The passive closer goes directly to CLOSED after receiving the final ACK.
Sequence Number Consumption: Each FIN consumes exactly one sequence number, which is why acknowledgments increment by 1 even though no data is transmitted.

Why Four Segments Are Necessary

A natural question arises: Why can't we combine the server's ACK and FIN into a single segment, reducing termination to three segments?

The answer lies in the nature of application behavior and the separation between acknowledging reception and being ready to close.

Scenario Analysis

Consider a web server handling an HTTP request:

Client sends request, then wants to close its send stream (FIN)
Server receives the FIN and acknowledges it (ACK) immediately
Server is still processing the request and generating the response
Server continues sending response data
Server finishes sending and closes its stream (FIN)

The Piggybacking Optimization

When 3-Segment Termination Works

•Server has no pending response data
•Application immediately calls close()
•ACK and FIN can be sent together
•Reduces network round trips
•TCP stack optimizes when possible

When 4-Segment Termination Required

•Server still processing/generating data
•Application delays before calling close()
•Half-close semantics utilized
•Streaming responses in progress
•Most real-world scenarios

The Separation of Concerns Principle

TCP's design separates several concerns:

Transport layer acknowledgment (ACK): "I received your segment" — handled by TCP stack
Application layer completion (FIN): "I'm done sending" — controlled by application
Connection state management: Tracking progress through state machine

State Machine Deep Dive

Understanding the TCP state machine is essential for debugging connection issues in production. Let's examine each state involved in connection termination in detail.

FIN_WAIT_1: Initiator Awaiting ACK

When the initiating endpoint sends a FIN:

Transitions to FIN_WAIT_1
Waits for ACK of its FIN
Can still receive data from the peer
Retransmits FIN if no ACK received within RTO
Normal duration: one round-trip time

FIN_WAIT_1 State Details
Attribute	Description
Entry Trigger	Application calls close() or shutdown(SHUT_WR)
Exit to FIN_WAIT_2	Receive ACK for our FIN
Exit to TIME_WAIT	Receive FIN+ACK simultaneously (rare)
Exit to CLOSING	Receive peer's FIN before our ACK
Stuck Symptoms	Peer not responding; possible network partition

FIN_WAIT_2: Initiator Awaiting Peer's FIN

After receiving ACK for its FIN:

Transitions to FIN_WAIT_2
Outbound stream is closed, inbound open
Waiting for peer to close its stream
Can receive data (half-close mode)
No timeout by default (RFC 793)

FIN_WAIT_2 Dangers

CLOSE_WAIT: Passive Closer Awaiting Application Close

When a peer's FIN is received:

TCP acknowledges the FIN automatically
Transitions to CLOSE_WAIT
Application is notified (EOF on read)
Application may continue sending data
Stays here until application calls close()

CLOSE_WAIT State Details
Attribute	Description
Entry Trigger	Receive FIN from peer while in ESTABLISHED
Exit to LAST_ACK	Application calls close(), TCP sends FIN
Duration	Unlimited—until application acts
Monitoring Importance	High; accumulation indicates application bugs
Common Cause of Leaks	Unclosed sockets in server applications

LAST_ACK: Passive Closer Awaiting Final ACK

After sending its FIN:

Transitions to LAST_ACK
Waiting for ACK of its FIN
Will retransmit FIN if ACK not received
Upon receiving ACK, transitions directly to CLOSED

TIME_WAIT: The Final Waiting Period

After sending the final ACK:

Active closer transitions to TIME_WAIT
Waits for 2 × MSL (Maximum Segment Lifetime)
Prevents delayed segment confusion
Can respond to retransmitted FINs
Resources held but connection closed

State Machine Summary

•Active Closer Path: ESTABLISHED → FIN_WAIT_1 → FIN_WAIT_2 → TIME_WAIT → CLOSED
•Passive Closer Path: ESTABLISHED → CLOSE_WAIT → LAST_ACK → CLOSED
•Simultaneous Close Path: ESTABLISHED → FIN_WAIT_1 → CLOSING → TIME_WAIT → CLOSED
•Key Insight: Only the active closer enters TIME_WAIT

Simultaneous Close

What happens when both endpoints decide to close at exactly the same time? TCP handles this gracefully through a mechanism called simultaneous close.

The Scenario

Both applications call close() at roughly the same time
Both endpoints send FIN segments
Both FINs cross in the network
Each endpoint receives the peer's FIN instead of an ACK

The State Transitions

Both endpoints:

Start in ESTABLISHED
Send FIN, enter FIN_WAIT_1
Receive peer's FIN while in FIN_WAIT_1
Send ACK, enter CLOSING (a special state for simultaneous close)
Receive ACK of their FIN
Enter TIME_WAIT
After 2MSL, enter CLOSED

Converting Mermaid diagram...

The CLOSING State

Key Observations

Both Enter TIME_WAIT: Unlike normal close where only the active closer enters TIME_WAIT, simultaneous close puts both endpoints in TIME_WAIT.
Four Segments Total: Despite being simultaneous, the handshake still requires four segments—two FINs and two ACKs.
Rare in Practice: Simultaneous close is uncommon in real applications but TCP must handle it correctly.
Protocol Correctness: This scenario demonstrates TCP's state machine completeness—it handles all possible timing scenarios gracefully.

Implementation Considerations

Understanding the four-way handshake has significant implications for application development and system administration.

Application Patterns

When closing sockets, applications have several options:

Socket Closing Options
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
// Option 1: Standard close - initiates four-way handshake
close(socket_fd);
 
// Option 2: Half-close - close only send direction
shutdown(socket_fd, SHUT_WR);  // Sends FIN, can still receive
// ... receive remaining data from peer ...
close(socket_fd);
 
// Option 3: Shutdown both directions then close
shutdown(socket_fd, SHUT_RDWR);  // Signals both directions
close(socket_fd);
 
// Option 4: Abortive close - sends RST instead of FIN
struct linger so_linger;
so_linger.l_onoff = 1;
so_linger.l_linger = 0;
setsockopt(socket_fd, SOL_SOCKET, SO_LINGER, 
           &so_linger, sizeof(so_linger));
close(socket_fd);  // Sends RST, no four-way handshake

Monitoring Connection States

System administrators should regularly monitor TCP states to detect potential issues:

Monitoring Commands

# View all TCP connections and their states
ss -tan
 
# Count connections by state
ss -s
 
# Watch for CLOSE_WAIT accumulation (indicates app bugs)
ss -tan state close-wait | wc -l
 
# Watch for TIME_WAIT accumulation (high connection churn)
ss -tan state time-wait | wc -l
 
# Detailed connection info including timers
ss -tnoe
 
# Using netstat (older but portable)
netstat -an | grep -E '(State|ESTABLISHED|CLOSE_WAIT|TIME_WAIT)'

Production Alert Thresholds

Summary: Four-Way Handshake

The four-way handshake is TCP's solution to the fundamental challenge of reliably closing a bidirectional connection. Let's consolidate the key concepts:

Key Takeaways

•Four segments required — Each direction closes independently, requiring FIN and ACK for each (total: 4 segments)
•Active vs. Passive close — The initiator (active closer) and responder (passive closer) follow different state paths
•State transitions matter — Understanding FIN_WAIT_1/2, CLOSE_WAIT, LAST_ACK, and TIME_WAIT is essential for debugging
•Simultaneous close is handled — TCP's state machine gracefully handles both sides closing at once
•TIME_WAIT is intentional — Only the active closer enters TIME_WAIT, preventing delayed segment confusion
•CLOSE_WAIT requires application action — Accumulation indicates socket leaks in applications

What's Next

Page Complete

1 / 1