Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I totally agree with @packet_vlad's analysis. Traffic towards seems to be looping (L3) and forking. This causes each IP packet to to reach mutiple times (with descending TTL's). This causes DSACK messages from telling that it received the same segment multiple times.

From your descriptions and the trace file I understand the following:

  • There is one HP ML30-gen9 server with two NICs (and an ILO-NIC)
  • NIC1 has mac HP_f8:d4:d1 and IP address
  • NIC2 has mac HP_f8:d4:d0 and IP address
  • Both NICs and IP's belong to the same bare-metal Win2016 server, which also runs Hyper-V
  • There is a VM running in Hyper-V with the IP address running WSUS

What is strange is that the ICMP TTL exceeded has source IP address, yet, it has the MAC address of and also has a TTL of 127. Other packets from have a TTL of 128. So the ICMP TTL exceeded packet from was routed over I don't have any Hyper-V experience, but this is something that needs to looked in to.

Also, since there are 2 NIC's connected to the switch in the same VLAN, those NIC's should either be teaming (with or without LACP) on both the HP as well as on the switch. Or they should be put in Active/Standby configuration in which the host (win2016) should take care that only one interface is active. This does not seem to be the case in your situation, as I see traffic coming from both MAC-addresses.