1 | initial version |
Do you have some load balancer, VPN gateway, WAN optimizer or other active device in your WAN?
Both traces include a broken connection resulting in a three way handshake.
We see in both traces
Client 10.241.5.133 SYN with MSS = 1460
Server 192.168.5.123 SYN/ACK with MSS = 1338
Since the smaller value is 1338, no TCP segment should hold more than 1338 byte. The client keeps to that limit, but the server is sending packets with a payload of 1380 byte. This suggests, that there is at least one device in the return path that modifies the MSS of the SYN/ACK packet. My guess is that packets are modified in transit in both directions with different values for incoming or outgoing packets.
Certain VPN gateways or DSL routers would modify the segment size in transit. Obviously client and server are working with a different MSS which can lead to all types of trouble.
I would only continue this analysis after both server and client work with the same MSS. This might be a good opportunity to review all other settings of this intermediate device.
Remarkably the server offers an initial receive window of 8192 * 2^8 which results in a 2 GByte buffer. I find this a surprisingly aggressive value that is helpful for "Long Fat Networks" (LFN), like 10 GBit/sec or more for links with very long round trip times (way above 100 msec).
Good luck
Eddi