Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I totally agree with @packet_vlad's analysis. Traffic towards 192.168.10.5 seems to be looping (L3) and forking. This causes each IP packet to 192.168.10.5 to reach 192.168.10.5 mutiple times (with descending TTL's). This causes DSACK messages from 192.168.10.5 telling 192.168.10.100 that it received the same segment multiple times.

From your descriptions and the trace file I understand the following:

  • There is one HP ML30-gen9 server with two NICs (and an ILO-NIC)
  • NIC1 has mac HP_f8:d4:d1 and IP address 192.168.10.6
  • NIC2 has mac HP_f8:d4:d0 and IP address 192.168.10.7
  • Both NICs and IP's belong to the same bare-metal Win2016 server, which also runs Hyper-V
  • There is a VM running in Hyper-V with the IP address 192.168.10.5 running WSUS

What is strange is that the ICMP TTL exceeded has source IP address 192.168.10.6, yet, it has the MAC address of 192.168.10.7 and also has a TTL of 127. Other packets from 192.168.10.6 have a TTL of 128. So the ICMP TTL exceeded packet from 192.168.10.6 was routed over 192.168.10.7 I don't have any Hyper-V experience, but this is something that needs to looked in to.

Also, since there are 2 NIC's connected to the switch in the same VLAN, those NIC's should either be teaming (with or without LACP) on both the HP as well as on the switch. Or they should be put in Active/Standby configuration in which the host (win2016) should take care that only one interface is active. This does not seem to be the case in your situation, as I see traffic coming from both MAC-addresses.