Jeff here again. Today’s post is about the Windows Firewall and a potential performance problem. When Windows 7, 8, 8.1, 2008 R2, 2012 or 2012 R2 are under very heavy load (20,000+ incoming UDP connections) Windows
performance may suffer. Symptoms include very high CPU usage, and very slow network throughput. This is caused by the Windows Firewall trying to process and remove duplicate UDP connections.

A stack from a profiling tool (XPerf) might look like this.

ws2_32.dII!sendto
mswsock.dII!WSPSendTo
ntdll.dII!ZwDeviceloControlFile
ntoskrnl.ex!KiSystemServiceCopyEnd
ntoskrnl.exelNtDeviceloControlFile
ntoskrnl.exe!IopXxxControlFile
afd.sys!AfdFastloDeviceControl
afd.sys!AfdFastDatagramSend
tcpip.sys!UdpTlProviderSendMessages
ntoskml.exe!KeExpandKernelStackAndCalloutEx
ntoskrnl.ex!KeExpandKernelStackAndCalloutlnternal
tcpip.sys!UdpTIProviderSendMessagesCaIIoutRoutine
tcpip.sys!UdpSendMessages
tcpip.sys!UdpSendMessagesOnPathCreation
tcpip.sys!WfpAleFastUdplnspection
NDIS.SYS!NdisAcquireRWLockRead 

To work around this problem we need to enable LocalOnlyMapping.

If you are allowing UDP traffic through the firewall, you should have a rule for it. To enable LocalOnlyMapping for that rule, open an elevated command prompt and run Powershell.exe. Then run this PowerShell command, using the name
of your UDP Firewall rule,

Set-NetFirewallRule –DisplayName “[YourUDPRuleName]” –LocalOnlyMapping $true

 

/Jeff