If the three-way handshake is TCP's greeting, the closing sequence is its farewell—and as in life, saying goodbye properly is just as important as saying hello. TCP cannot simply "hang up" because the network is unreliable and both directions of communication must close independently. The result is a choreographed four-way handshake for graceful termination.

The FIN_WAIT states (FIN_WAIT_1 and FIN_WAIT_2) and the notorious TIME_WAIT state represent the active closer's side of this termination sequence. These states are often misunderstood, sometimes blamed for "too many connections," and occasionally bypassed incorrectly. Understanding them deeply is essential for operating high-connection-rate servers, debugging connection issues, and designing robust network applications.

This page explores the termination sequence from the perspective of the endpoint that initiates the close. We'll examine each state, understand why it exists, learn about the infamous TIME_WAIT delay and why it's actually crucial, and see how improper handling of these states can destabilize systems.

While connection establishment uses a three-way handshake, termination uses a four-way handshake (sometimes called four-segment exchange). This asymmetry exists because TCP connections are full-duplex—each direction must be closed independently.

Why Four Steps?

The three-way handshake works because connection establishment is symmetric—both sides start with nothing and agree to connect together. Termination is different:

• Active closer (initiates close) may have stopped sending but needs to receive remaining data
• Passive closer may still have data to send even after receiving FIN
• Both directions must acknowledge the other's close

This requires four segments: FIN from A, ACK from B, FIN from B, ACK from A.

The Complete Sequence

    Active Closer (A)                       Passive Closer (B)
    ─────────────────                       ──────────────────
    ESTABLISHED                             ESTABLISHED
         │                                       │
   close() called                               │
         │                                       │
         │ ──────── FIN (seq=x) ─────────▶      │
    FIN_WAIT_1                                  │
         │                                       │ Receive FIN
         │                                       │ (can still send)
         │ ◀──────── ACK (ack=x+1) ───────      │
    FIN_WAIT_2                             CLOSE_WAIT
         │                                       │
         │                               (B sends remaining data)
         │                                       │
         │                                  close() called
         │ ◀──────── FIN (seq=y) ─────────      │
         │                                 LAST_ACK
    TIME_WAIT                                   │
         │ ──────── ACK (ack=y+1) ─────────▶    │
         │                                  CLOSED
         │                                       .
    [2MSL wait]                                  .
         │                                       .
     CLOSED                                      .

Key Observations

1. The active closer enters more states (FIN_WAIT_1 → FIN_WAIT_2 → TIME_WAIT → CLOSED)
2. The passive closer enters different states (CLOSE_WAIT → LAST_ACK → CLOSED) — covered in next page
3. TIME_WAIT is only on the active closer — the side that sends the first FIN
4. Both FINs must be acknowledged — reliable delivery even for control segments

The Half-Close Possibility

Between FIN_WAIT_2 and TIME_WAIT, something interesting can happen: the half-close. At this point:

• A has sent FIN ("I'm done sending")
• B has ACKed A's FIN ("I acknowledge you're done")
• B has not sent FIN yet ("But I'm still sending")

This is a legitimate state:

// Application A
shutdown(sockfd, SHUT_WR);  // Send FIN
// Can still receive data from B
while (recv(sockfd, buf, sizeof(buf), 0) > 0) {
    process(buf);
}
close(sockfd);  // After B closes

The connection is "half-closed"—one direction is closed, the other is open. This is useful when:

• Client sends request, closes write side, waits for complete response
• File transfer: sender closes after last byte, receiver closes after processing
• Pipelines: signal end of input, wait for output

The FIN_WAIT states represent the active closer waiting for the connection to fully terminate. Let's examine each in detail.

FIN_WAIT_1: Awaiting FIN Acknowledgment

Entry: Application calls close() or shutdown(SHUT_WR); kernel sends FIN

Waiting for: ACK of our FIN (and possibly peer's FIN)

Exit conditions:

Important characteristics:

• Still can receive data: We've closed write direction, not read
• FIN is retransmitted if not ACKed: Uses standard RTO timer
• Brief state: Usually transitions quickly (one RTT)

FIN_WAIT_1
    │
    ├── Receive ACK ────────────▶ FIN_WAIT_2
    │
    ├── Receive FIN ────────────▶ CLOSING
    │      (send ACK)
    │
    └── Receive FIN+ACK ────────▶ TIME_WAIT
           (send ACK)

FIN_WAIT_2: Awaiting Peer's FIN

Entry: Our FIN has been acknowledged

Waiting for: Peer's FIN (closing the other direction)

Exit condition: Receive FIN → send ACK → transition to TIME_WAIT

The FIN_WAIT_2 Danger:

Unlike FIN_WAIT_1, FIN_WAIT_2 can persist indefinitely if the peer never sends FIN:

• Peer application may still be sending data
• Peer application may be buggy (never calls close())
• Peer may have crashed (kernel never cleans up)

This creates a resource leak. The socket consumes kernel memory forever.

FIN_WAIT_2 Timeout Behavior

Different situations have different timeout behaviors:

Socket attached to process (not closed yet):

• No timeout—waits forever
• Application is responsible for detecting hung connections
• Use SO_RCVTIMEO or select()/poll() with timeout

Socket orphaned (close() called, process detached):

• Uses tcp_fin_timeout (default 60 seconds)
• After timeout, socket is destroyed
• This is kernel protection against leaked sockets

Socket with shutdown() but not close():

• Still attached to process
• No timeout applies
• Application controls the socket's lifetime

TIME_WAIT is simultaneously one of TCP's most important mechanisms and one of the most frequently complained about. Servers accumulate thousands of TIME_WAIT sockets. Developers try to "optimize" it away. Often, these attempts cause more problems than they solve.

Understanding TIME_WAIT means understanding why it exists and when (if ever) it can be safely modified.

Entry to TIME_WAIT

The active closer enters TIME_WAIT after:

1. Receiving the peer's FIN (the second FIN in the four-way handshake)
2. Sending ACK for the peer's FIN

At this point, the connection is logically closed—no more data in either direction. But the socket doesn't immediately disappear.

The 2MSL Timeout

MSL = Maximum Segment Lifetime

The MSL is the maximum time a TCP segment can exist in the network. RFC 793 recommends 2 minutes, but implementations vary:

The TIME_WAIT state lasts exactly 2×MSL before transitioning to CLOSED.

Why TIME_WAIT Exists: Two Critical Purposes

Purpose 1: Reliable Termination

The final ACK in the four-way handshake can be lost. If it is:

Active Closer                     Passive Closer
──────────────                    ──────────────
                                  LAST_ACK
                                      │
    ACK ─────────────▶ [LOST]        │
                                      │
TIME_WAIT                             │ (retransmit FIN)
    │ ◀─────────────── FIN ──────────┘
    │                                 │
    │ ── ACK (retransmit) ──────────▶│
                                  CLOSED

Without TIME_WAIT:

• Final ACK is lost
• Passive closer retransmits FIN
• Active closer's socket is gone, kernel sends RST
• Passive closer sees reset instead of clean close

With TIME_WAIT:

• Final ACK is lost
• Passive closer retransmits FIN
• Active closer still has socket, can retransmit ACK
• Both sides terminate cleanly

Purpose 2: Prevent Old Duplicate Segments

The network may have old packets from this connection still floating around:

Scenario without TIME_WAIT:

1. Connection A:1234 ↔ B:80 closed
2. Packet from old connection still in network (delayed by congestion)
3. New connection uses same ports: A:1234 ↔ B:80
4. Old packet arrives, sequence number happens to be valid
5. Old data accepted as part of new connection → DATA CORRUPTION

With 2MSL TIME_WAIT, any old packets from the previous connection will have expired (TTL → 0) before the same port pair can be reused.

High-traffic servers—especially those making many outbound connections—can accumulate large numbers of TIME_WAIT sockets. Let's understand when this is a problem and what to do about it.

When TIME_WAIT Accumulates

Server closes connections (active closer):

• HTTP/1.0 server closing after each request
• Server timing out idle clients
• Server rejecting connections (RST or close)

Client-like pattern:

• Load balancer/proxy connecting to backends
• Service making many outbound requests
• Connection pool with short-lived connections

The Math:

Connections per second × TIME_WAIT duration = accumulation

• 1,000 connections/sec × 60 seconds = 60,000 TIME_WAIT sockets
• Each TIME_WAIT socket consumes ~300-400 bytes
• 60,000 sockets × 400 bytes ≈ 24 MB

Is It Actually a Problem?

Usually No:

• TIME_WAIT sockets use minimal resources
• Modern systems handle hundreds of thousands easily
• Port space is 65,535 per IP pair, not global

Sometimes Yes:

• Outbound connections to same destination exhaust ephemeral ports
• Very high rate can hit OS file descriptor limits
• Some legacy applications/middleware have hardcoded limits

Legitimate Remedies

1. SO_REUSEADDR (Most Common)

int opt = 1;
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));

Allows binding to an address already in TIME_WAIT. This is:

• Safe for servers (listening sockets)
• Standard practice for avoiding "Address already in use"
• Does NOT affect client connections

2. tcp_tw_reuse (Linux Only)

sysctl -w net.ipv4.tcp_tw_reuse=1

Allows reusing TIME_WAIT sockets for outbound connections when safe:

• Only if TCP timestamps are enabled (ensures sequence number safety)
• Only for new connections to same remote IP:port
• Safe when enabled (designed for this purpose)

3. Connection Pooling

Reuse established connections instead of opening new ones:

• HTTP keep-alive
• Database connection pools
• Persistent connections to backends

This is the best solution—avoids the problem entirely.

4. Multiple Source IPs

For heavy outbound traffic to single destination:

• Use multiple local IPs
• Binds to different IPs for different connections
• Expands available port space by number of IPs

Dangerous "Remedies" (Avoid)

tcp_tw_recycle (REMOVED from Linux 4.12+)

Former setting that aggressively recycled TIME_WAIT sockets:

• Caused broken connections through NAT
• Removed from kernel as fundamentally unsafe
• If you see advice to enable this: it's outdated

Reducing MSL/TIME_WAIT Duration

Some systems allow this, but:

• Risks data corruption from old duplicates
• Risks failed retransmission of final ACK
• Only consider if you fully understand implications

The CLOSING state is a rare but valid state that occurs during simultaneous close—when both endpoints send FIN at approximately the same time.

How Simultaneous Close Happens

    Host A                      Host B
       │                           │
  close() called             close() called
       │                           │
       │ ──── FIN ─────────────▶  │
  FIN_WAIT_1                       │
       │  ◀───────── FIN ─────────│
       │                      FIN_WAIT_1
       │                           │
   CLOSING                    CLOSING
       │ ──── ACK ─────────────▶  │
       │  ◀───────── ACK ─────────│
       │                           │
  TIME_WAIT                  TIME_WAIT

State Transition Details

In normal close:

• FIN_WAIT_1 → FIN_WAIT_2 (receive ACK)
• FIN_WAIT_2 → TIME_WAIT (receive FIN)

In simultaneous close:

• FIN_WAIT_1 → CLOSING (receive FIN before ACK)
• CLOSING → TIME_WAIT (receive ACK)

Practical Occurrence

Simultaneous close is uncommon because applications usually have asymmetric close patterns:

• Server-initiated close: server detects idle, closes
• Client-initiated close: user leaves, closes
• Error-initiated: one side encounters error, closes

However, it can occur:

• Time-based connection limiting (both sides timeout simultaneously)
• Coordinated shutdown protocols
• Race conditions in communication patterns

The Complete State Machine for Active Close

                            ESTABLISHED
                                 │
                    Application close()
                    Send FIN
                                 │
                                 ▼
                            FIN_WAIT_1
                                 │
              ┌──────────────────┼──────────────────┐
              │                  │                  │
         Rcv ACK            Rcv FIN           Rcv FIN+ACK
              │             Snd ACK            Snd ACK
              │                  │                  │
              ▼                  ▼                  │
         FIN_WAIT_2          CLOSING               │
              │                  │                  │
         Rcv FIN            Rcv ACK                │
         Snd ACK                 │                  │
              │                  │                  │
              └──────────────────┴──────────────────┘
                                 │
                                 ▼
                            TIME_WAIT
                                 │
                            2MSL timeout
                                 │
                                 ▼
                              CLOSED

Every path leads to TIME_WAIT, ensuring the 2MSL protection applies regardless of how termination occurred.

Connection termination issues manifest in various ways. Here's how to diagnose and resolve them.

Monitoring Connection States

# Count connections by state
ss -tan | awk 'NR>1 {print $1}' | sort | uniq -c | sort -rn

# Example output:
#   4523 TIME-WAIT
#    843 ESTABLISHED
#    127 FIN-WAIT-2
#     23 CLOSE-WAIT
#     12 FIN-WAIT-1

# Watch states in real-time
watch -n1 'ss -tan | awk "NR>1 {print \$1}" | sort | uniq -c | sort -rn'

# Find which processes have closing connections
ss -tanp state fin-wait-1
ss -tanp state fin-wait-2

Common Issues and Diagnosis

Issue: Many FIN_WAIT_1 sockets

Symptom: FIN not being ACKed

Possible causes:

• Network issues (packets not reaching peer)
• Peer is overloaded (not responding)
• Firewall dropping FIN packets

Diagnosis:

# Are connections to specific host?
ss -tan state fin-wait-1 | awk '{print $5}' | sort | uniq -c

# Capture traffic to see if FIN is sent and ACK returns
tcpdump -i any 'tcp[tcpflags] & (tcp-fin|tcp-ack) != 0' -nn

Issue: Many FIN_WAIT_2 sockets

Symptom: Peer not sending FIN

Possible causes:

• Peer application not calling close()
• Peer still sending data (legitimate)
• Peer crashed (kernel didn't clean up—rare)
• Buggy peer software

Diagnosis:

# How old are these connections?
ss -tan state fin-wait-2 -o

# Are they orphaned (no process attached)?
# Orphaned FIN_WAIT_2 will timeout after tcp_fin_timeout
lsof -i TCP | grep FIN_WAIT_2

Remedy:

# Lower the orphan timeout
sysctl -w net.ipv4.tcp_fin_timeout=30

We've explored the active closer's journey through connection termination—the states that handle graceful disconnection and protect the network from confusion.

Key Takeaways

What's Next

We've examined termination from the active closer's perspective. But what about the other side—the endpoint that receives the first FIN? That endpoint enters CLOSE_WAIT and LAST_ACK states, and has its own set of characteristics and potential issues. In the final page, we'll complete the picture by examining these states and the CLOSED state that all connections ultimately reach.