First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

TCP Retransmission after SYN, ACK

  • retag add tags

Hello Wireshark Experts,

I have a Problem where the TCP Connection to a Server is interrupted in short times. I see the Syn the Syn,ACK and after Syn, Ack I see a TCP Retransmission of the SYN Flag 2 times and after the 2nd SYN Retransmission I see SYN,ACK Retransmission. After that the TCP Traffic sometimes "flows" again and sometimes it ends with a RST Flag sent from the Client. Sometimes the Client sends the RST Flag after 2 TCP SYN Retransmissions from Client are received and 2 TCP SYN,ACK Retransmissions are sent from the Server.

Here you can see an example capture of the server trace. image description

edited: I think now that the first Syn, Ack Flag never made it to the Client. I see this most of the time during 3 Way Handshake. Can someone explain what could cause this behaviour?

In the middle of some TCP Streams I also see multiple RST,ACKs from the same source IP 192.168.0.1 with different TTL Values. 1st RST,ACK TTL 61 2nd to 9th RST,ACK TTL 126 and last RST,ACK TTL of 125

fly_agaric's avatar
1
fly_agaric
asked 2020-12-09 15:57:10 +0000, updated 2020-12-09 17:17:58 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Where was the capture made - client, server, other?

Chuckc's avatar Chuckc (2020-12-09 16:33:28 +0000) edit
more
  • delete

the capture was made on the server

fly_agaric's avatar fly_agaric (2020-12-09 16:34:36 +0000) edit
more
  • delete

Can you provide a capture file for the frames in the picture? Makes it easier than typing in the data for a response.
The additional comment about TTL and the symptoms of the connection - have you ruled out duplicate IP addresses?

Chuckc's avatar Chuckc (2020-12-09 17:29:50 +0000) edit
more
  • delete

Here you can see the anonymized tracefile: Trace File 192.168.0.10 is the Client and 192.168.10.56 is the Server. The Tracefile was captured on the server.

fly_agaric's avatar fly_agaric (2020-12-09 18:25:38 +0000) edit
more
  • delete

Can you make a capture at the client?
- The server didn't send any RST packets, did the client receive any?
- Are the RST packets the server is receiving being sent from the client?

Chuckc's avatar Chuckc (2020-12-10 02:27:09 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

A Firmware of the Firewall helped. Since the upgrade everything is working.

fly_agaric's avatar
1
fly_agaric
answered 2020-12-24 12:13:05 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer