Overview π₯
This troubleshooting guidance for the Microsoft SQL Server Inspector error:
Connection Timeout Expired
Connectivity test failed. Exception: Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the pre-login handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was - Pre-Login initialization=12345; handshake=12345;\`
This error occurs when the Liongard SQL Server Inspector cannot complete the pre-login handshake with the SQL Server instance during the connectivity test.
This failure happens before authentication, meaning it is almost always related to network reachability, protocol configuration, or SQL listener behavior, not credential issues.
Why This Happens? π€
The connection timeout error occurs when the Inspector establishes a TCP session but does not receive a valid TDS pre-login handshake from the SQL Server within the allowed timeout.
Common root causes include:
Cause | Explanation |
TCP/IP disabled | SQL instance not listening over TCP |
Firewall inspection or blocking | Handshake packets dropped or delayed |
Named instance port resolution failure | SQL Browser / UDP 1434 unreachable |
Network latency or packet loss | Handshake exceeds timeout |
Incorrect hostname/instance | Agent cannot locate correct SQL listener |
TLS interception / deep packet inspection | Breaks TDS pre-login negotiation |
Antivirus / EDR interference | Network client blocked by endpoint protection |
SQL Server under resource pressure | Slow response to handshake |
Common Scenarios π§βπ«
Scenario | Symptoms Observed | Likely Cause |
Works intermittently | Random timeout failures | Network latency / packet loss |
Fails only from Agent | Works locally but not remotely | Firewall / segmentation |
Fails only for named instance | Default works | Browser or UDP 1434 blocked |
Starts failing after hardening | Previously working Inspector | TLS inspection or IPS policy |
Steps to Resolve π¨βπ»
Follow each step in order.
1οΈβ£ Validate TCP/IP Is Enabled
On the SQL Server:
Path | Expected Setting |
SQL Server Configuration Manager β Network Configuration β Protocols | TCP/IP = Enabled |
Restart SQL Server service after changes.
2οΈβ£ Verify SQL Listener Ports
Check SQL TCP/IP configuration:
Setting | Recommendation |
Dynamic Ports | Avoid for production |
Static Port | Strongly recommended |
Confirm port via:
netstat -ano | findstr 1433
3οΈβ£ Test Port Reachability from Agent
From the Liongard Agent host:
Test-NetConnection -ComputerName <hostname> -Port 1433
or
telnet <hostname> 1433
Result | Meaning |
Success | Port reachable |
Failure | Firewall or routing issue |
4οΈβ£ Validate Firewall Configuration
Ensure inbound rules allow SQL traffic:
Component | Required |
Windows Firewall | Allow SQL TCP port |
Network Firewall | Allow between Agent and SQL |
IPS / IDS | Must not block or delay TDS |
5οΈβ£ Validate Hostname and Instance
Configuration Type | What to Enter |
Default instance | Leave instance field blank |
Named instance |
|
Run DNS validation from Agent:
nslookup <hostname>
ping <hostname>
6οΈβ£ Named Instance Resolution Check
If using a named instance:
Requirement | Status |
SQL Server Browser running | β Required |
UDP 1434 allowed | β Required |
Test UDP reachability if available.
7οΈβ£ Verify SQL Server Permissions (New Requirement)
The SQL Server Inspector no longer requires sysadmin privileges.
Minimum recommended permissions:
Permission | Requirement |
VIEW SERVER STATE | β Required |
Additional permissions | May be required for advanced queries (ROAR-4793) |
Missing permissions do not cause timeout errors, but misconfigured security can delay handshakes in hardened environments.
8οΈβ£ Run CCDM Mode (Clear Cache + Debug Mode)
Run the Inspector in CCDM mode to capture full timeout telemetry.
CCDM = Clear Cache + Debug Mode
Use this to capture:
Data Collected | Purpose |
Handshake timestamps | Timing analysis |
Connection retries | Network behavior |
Socket responses | Firewall behavior |
Troubleshooting Flow π
Symptom | Cause | Resolution |
Timeout during handshake | Firewall delay | Step 4οΈβ£ |
Works locally but not remotely | Routing issue | Step 3οΈβ£ |
Fails only with named instance | SQL Browser blocked | Step 6οΈβ£ |
Starts after security rollout | TLS inspection | Step 8οΈβ£ |
Additional Diagnostics π
Command | Purpose |
| Confirm listening state |
| Validate port reachability |
SQL logs | Detect listener failures |
When to Contact Support π¦
Contact Liongard Support only after completing all steps and CCDM run.
Prepare:
Required Details | Purpose |
CCDM debug logs | Handshake timing |
Firewall logs | Packet acceptance |
| Connectivity proof |
SQL port configuration | Listener verification |
Third-Party Links Disclaimer βΌοΈ
We may reference external third-party resources solely as additional guidance.
Liongard does not own, control, or guarantee the accuracy, security, or reliability of third-party sites. Please use them at your own discretion and risk.