Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

On the Linux side, have a look at the value of IP TTL of the packets received from the Windows host. They are probably all the same. Now have a look at the value of the IP TTL of the received RST packet. Is the TTL the same or different? If it is different, there is a big chance that an intermediate device closed the connection. There can be several reasons:

  • The intermediate device is an IPS and saw data that triggered a rule to close the connection
  • The intermediate device is a firewall or loadbalancer that closed the connection due to a session timeout (what is the delta time between the RST and the previous packet in the TCP stream?