Revision history [back]
{RST, ACK} ports 61820 >28130
Hello,
I have a server (pmdvportal) that is attempting to connect every 5 seconds or so to port 28130 on the destination server. The destination server is behind a firewall. We have opened all traffic between the 2.... or so we think we have. According to the tap, I see the below:
Does this look like a possible Firewall issue? Firewall team states all traffic opened, but this tap looks like a Firewall block to an inexperienced Wireshark pup. Any direction would be very helpful!
29 0.087309 10.203.205.210 pmdvportal UDP 54 58970 → ms-wbt-server(3389) Len=12
34 0.404535 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data
35 0.414060 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=52 Win=62965 Len=0
107 1.420160 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data
108 1.429832 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=103 Win=62914 Len=0
152 2.435784 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data
153 2.446383 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=154 Win=62863 Len=0
188 3.451392 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data
189 3.462132 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=205 Win=62812 Len=0
216 4.467042 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data
217 4.477283 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=256 Win=64240 Len=0
241 5.094947 pmdvportal 10.203.205.210 TCP 62 61773 → 28130 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
242 5.094985 10.203.205.210 pmdvportal TCP 62 28130 → 61773 [SYN, ACK, ECN] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
243 5.095196 pmdvportal 10.203.205.210 TCP 60 61773 → 28130 [ACK] Seq=1 Ack=1 Win=64240 Len=0
244 5.095225 pmdvportal 10.203.205.210 TLSv1.2 126 Ignored Unknown Record
245 5.095226 pmdvportal 10.203.205.210 TLSv1.2 75 Ignored Unknown Record
246 5.095236 10.203.205.210 pmdvportal TCP 54 28130 → 61773 [ACK] Seq=1 Ack=94 Win=64240 Len=0
247 5.095436 10.203.205.210 pmdvportal TCP 55 [TCP segment of a reassembled PDU]
248 5.095757 pmdvportal 10.203.205.210 TLSv1.2 230 Client Hello
249 5.097430 10.203.205.210 pmdvportal TLSv1.2 1277 Server Hello, Certificate, Server Key Exchange, Server Hello Done
250 5.098518 pmdvportal 10.203.205.210 TLSv1.2 147 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
251 5.099144 10.203.205.210 pmdvportal TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
252 5.102626 pmdvportal 10.203.205.210 TLSv1.2 84 Application Data
253 5.102685 10.203.205.210 pmdvportal TLSv1.2 84 Application Data
254 5.113036 pmdvportal 10.203.205.210 TCP 1514 61773 → 28130 [ACK] Seq=393 Ack=1306 Win=62935 Len=1460 [TCP segment of a reassembled PDU]
255 5.113057 pmdvportal 10.203.205.210 TLSv1.2 589 Application Data
256 5.113061 10.203.205.210 pmdvportal TCP 54 28130 → 61773 [ACK] Seq=1306 Ack=2388 Win=64240 Len=0
257 5.113451 10.203.205.210 pmdvportal TLSv1.2 408 Application Data
**258 5.119754 pmdvportal 10.203.205.210 TCP 60 61773 → 28130 [RST, ACK] Seq=2388 Ack=1660 Win=0 Len=0**
{RST, ACK} ports 61820 >28130
Hello,
I have a server (pmdvportal) that is attempting to connect every 5 seconds or so to port 28130 on the destination server. The destination server is behind a firewall. We have opened all traffic between the 2.... or so we think we have. According to the tap, I see the below:
Does this look like a possible Firewall issue? Firewall team states all traffic opened, but this tap looks like a Firewall block to an inexperienced Wireshark pup. Any direction would be very helpful!
258
5.119754 pmdvportal 10.203.205.210 TCP 60 61773 → 28130 [RST, ACK] Seq=2388 Ack=1660 Win=0