 | 1 | initial version |
I stumbled on this old question because I was searching evidence that Meraki has a default TTL of 250. It seems to be the case...
Regarding your question:
As a follow-up question, is it normal that only the first packet has a TTL of 63 and all the others have a TTL of 64 if there is a router is the middle? I was expecting to see a TTL of 63 on all the packets.
Yes, normally you would indeed see all packets that are routed over one hop decrease the TTL, so in your packet captures, you would see a TTL of 63 for packets coming in from the other side of the Meraki router. But apparently, the Meraki works a bit differently, and it also does not seem to like the TCP seqments with sequence numbers starting with 48502, as these frames are forwarded to the server as a RST packet (look at the sequence numbers) while at the client these packets are answered with a RST.
The final RST is an actual RST of the client, after it received an ACK, after the connection was already reset.
Based on the timings in the pcap files, I assume the packet captures were made on the client (Mac) and the server (VMware VM)? And were you ever able to find the reason for why the Meraki router killed large file transfers?
