First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

TCP RESET in windows server 2016

  • retag add tags

Hi Team, Server is sending TCP reset frequently and not sure the reason. we use windows server 2016 + windows NLB and it is vmnet3 network adapter of vmware. Please find the capture logs from client machine 

No. Time    Delta   DeltaTCPCon DeltaFrom1stFrame   Source  Destination Protocol    TTL Seq No  Next Seq No ACK No  TCP Len Source Port Dest Port   Identification  Info
27944   2021-02-23 08:05:33.072669  1.188323000 0.000000000 0.000000000 CLIENT  SERVER  TCP 64  0   1   0   0   40656 (40656)   https (443) 0x32c4 (12996)  40656 → https(443) [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1497627054 TSecr=0 WS=128
27945   2021-02-23 08:05:33.073133  0.000464000 0.000464000 0.000464000 SERVER  CLIENT  TCP 128 0   1   1   0   https (443) 40656 (40656)   0x2791 (10129)  https(443) → 40656 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1487099916 TSecr=1497627054
27946   2021-02-23 08:05:33.073178  0.000045000 0.000045000 0.000509000 CLIENT  SERVER  TCP 64  1   1   1   0   40656 (40656)   https (443) 0x32c5 (12997)  40656 → https(443) [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1497627054 TSecr=1487099916
27947   2021-02-23 08:05:33.073951  0.000773000 0.000773000 0.001282000 CLIENT  SERVER  TLSv1.2 64  1   208 1   207 40656 (40656)   https (443) 0x32c6 (12998)  Client Hello
27948   2021-02-23 08:05:33.096190  0.022239000 0.022239000 0.023521000 SERVER  CLIENT  TCP 128 1   1449    208 1448    https (443) 40656 (40656)   0x2792 (10130)  https(443) → 40656 [ACK] Seq=1 Ack=208 Win=2108160 Len=1448 TSval=1487099939 TSecr=1497627055 [TCP segment of a reassembled PDU]
27949   2021-02-23 08:05:33.096257  0.000067000 0.000067000 0.023588000 CLIENT  SERVER  TCP 64  208 208 1449    0   40656 (40656)   https (443) 0x32c7 (12999)  40656 → https(443) [ACK] Seq=208 Ack=1449 Win=32128 Len=0 TSval=1497627078 TSecr=1487099939
27950   2021-02-23 08:05:33.096295  0.000038000 0.000038000 0.023626000 SERVER  CLIENT  TCP 128 1449    2897    208 1448    https (443) 40656 (40656)   0x2793 (10131)  https(443) → 40656 [ACK] Seq=1449 Ack=208 Win=2108160 Len=1448 TSval=1487099939 TSecr=1497627055 [TCP segment of a reassembled PDU]
27951   2021-02-23 08:05:33.096306  0.000011000 0.000011000 0.023637000 CLIENT  SERVER  TCP 64  208 208 2897    0   40656 (40656)   https (443) 0x32c8 (13000)  40656 → https(443) [ACK] Seq=208 Ack=2897 Win=35072 Len=0 TSval=1497627078 TSecr=1487099939
27952   2021-02-23 08:05:33.096308  0.000002000 0.000002000 0.023639000 SERVER  CLIENT  TLSv1.2 128 2897    3785    208 888 https (443) 40656 (40656)   0x2794 (10132)  Server Hello, Certificate, Server Key Exchange, Server Hello Done
27953   2021-02-23 08:05:33.096315  0.000007000 0.000007000 0.023646000 CLIENT  SERVER  TCP 64  208 208 3785    0   40656 (40656)   https (443) 0x32c9 (13001)  40656 → https(443) [ACK] Seq=208 Ack=3785 Win=37888 Len=0 TSval=1497627078 TSecr=1487099939
27954   2021-02-23 08:05:33.104173  0.007858000 0.007858000 0.031504000 CLIENT  SERVER  TLSv1.2 ...
(more)
VijayP's avatar
1
VijayP
asked 2021-02-25 13:44:26 +0000
grahamb's avatar
23.8k
grahamb
updated 2021-02-25 14:51:57 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Is it one client or many that have this issue?

Chuckc's avatar Chuckc (2021-02-26 18:25:40 +0000) edit
more
  • delete

Many of the client have this issue but all intermittent. It doesn't happen always...

There is no packet drop or firewall block at client and sever level but not sure what happened..

VijayP's avatar VijayP (2021-02-26 20:24:01 +0000) edit
more
  • delete

It looks good right up till it isn't (server sends RST).
(Makes it through Step 7. in Establishing a Secure Session by Using TLS)
Are you getting schannel events in the Windows logs? Maybe increase the logging.

If you can share a packet capture it makes it easier to peer inside the back and forth of TLS.

Chuckc's avatar Chuckc (2021-02-26 21:21:07 +0000) edit
more
  • delete

Thank you for your inputs.. let me check the above details.

In TCP RST,ACK packet wireshark warning says "group" 'sequence".

VijayP's avatar VijayP (2021-02-27 02:31:32 +0000) edit
more
  • delete

The User's Guide has a section on Expert Info entries.
It's possible to Customize the Wireshark Expert to reduce the serverity of RST.

Chuckc's avatar Chuckc (2021-02-27 04:17:50 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

RST packets are usually a sign of someone not wiulling to continue. This could be an application issue.

But Windows NLB can become a real night mare in some networks and I would try to avoid it at almost any cost.

hugo.vanderkooij's avatar
76
hugo.vanderkooij
answered 2021-03-01 12:51:51 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you for you answer. I checked application related issues using the gudielines provided herehttps://docs.microsoft.com/en-us/.... also we donot have any firewall in middle. only middle man is windows NLB 2016

windows NLB routes distribute the traffic to two hosts by using single affinity and without extenended affinity timeout. still am not sure what is real cause of this . as there is no packet drops in the above mentioned packets.

Also i found noting useful in windows event logs for schannlel and windows NLB (it is already enabled)

VijayP's avatar VijayP (2021-03-01 13:36:18 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer