1 | initial version |
There is a gap of 220 bytes in the sequence numbers in frames 770 and 1074. There are no packets in the RX trace of the PaloAlto for this TCP session between frames 770 and 1074. This indicates that the client has sent a 220 byte TCP segment that did not arrive at the PaloAlto. If this was random packet-loss, the retransmission of this packet would have been seen at the PaloAlto.
As the RST comes after a while, my guess would be that the packet from the client with sequence number 4082 and tcp segment length 220 is retransmitted a couple of times but systematically dropped somewhere between the client and the PaloAlto. Then the client sends the RST as it is not receiving an ACK to any of the retransmissions and so it thinks the connection is lost. Is there a intrusion prevention system in place between the client and the PaloAlto?
One other note, the packets from the client are routed over the Standby router of the HSRP cluster with cluster IP address 10.5.226.254. Is this asymmetrical path by design or might there be something wrong with the routing?