First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tcp rst after get / http

Users trying to reach atnitribes.org but receive a 'connection reset by peer' message from the webfilter. Bypassed the filter and it says 'cant connect'

Looking at wireshark it shows a tcp rst,ack after a GET / HTTP -- ACK. This would lead me to believe that the server is sending back the tcp rst but I am not sure.

This site appears to be accessible from another rout on our network that still uses the same ISP as well as if we use a vpn proxy.

Is there anyway to discern from the trace if this is on my end or the websites end? Thanks, https://imgur.com/kTkEOyw

image description

Tbrown748's avatar
1
Tbrown748
asked 2018-01-09 18:06:24 +0000, updated 2018-01-09 18:07:10 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

From the picture it appears the reset comes from a F5 load balancer after suffering a 4 seconds timeout.

image description

Just a wild guess though ...
Regards Matthias

If your network doesn't have a F5 BIG-IP then is must be somewhere else.
Typically load balancers are sitting close to the server - but anything is possible..
If you look at the ip.ttl of the incoming reset you know (can guess) how far away in number of hops it is.
The (default) initial TTL of a F5 is 255 so if it is lower than 253 it is probably not in your scope ...

mrEEde's avatar
4k
mrEEde
answered 2018-01-09 19:00:43 +0000, updated 2018-01-10 05:40:14 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Right, I thought BIG-IP would be an F5 appliance. We don't even have an F5 on our network so with that it must not be on our end?

Tbrown748's avatar Tbrown748 (2018-01-09 19:03:46 +0000) edit
more
  • delete

If you look at the ip.ttl of the incoming reset you know (can guess) how far away in number of hops it is. The (default) initial TTL of a F5 is 255 so if it is lower than 253 it is probably not in your scope ...

mrEEde's avatar mrEEde (2018-01-10 05:34:31 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer