TCP is 1 Byte: 0x00
Hello, Troubleshooting an issue between our Oracle Exadata server and DataStage client. Apologies. I don't have enough points to upload images. Hopefully, my description will be sufficient.
We have two firewalls. FWS is one hop from the server. FWC is 6 hops from the client. The firewalls are 4 hops from each other. We simultaneously ran Wireshark on each firewall for two separate tests on two different days.
In captures taken from the FWS, after the server has sent x number of records to the client, it sends a PSH,ACK with a 1-byte TCP payload: 0x00. After the client responds with 3 ACKs to the 3 previous data packets, the server sends a TCP Keep-Alive 0.2 secs later. The server continues the Keep-Alives until ~10 minutes later when the client sends a RST.
In the captures taken from the FWC, the same packets are seen as on FWS. However, after the 3 ACKs from the client, the client sends a 4th ACK. Wireshark flags this packet it as "TCP ACKed unseen segment". According to Wireshark, "...common at capture start." This is after 58 packets and 0.14 secs of capture with a 3-way-handshake in the beginning. On another site this means: “…this packet acknowledges data that wasn't captured. It was transferred okay, and the receiver acknowledges it, but Wireshark can't find the packet in the capture. This usually happens when the capture device wasn't fast enough.” FWS (and FWC) are high-speed firewalls, which handle a large number of concurrent connections every second.
After the client's last ACK, the server and client ping-pong with TCP Dup ACK, which are not seen on FWS. There are also ACKs to the TCP Keep-Alives from the server. This continues until ~10 minutes later when the client sends a RST.
I believe the client's last ACK (FWC) is not valid because this packet is not seen on FWS. Also, why are there TCP Dups seen on the FWC but not the FWS?
Thanks in advance for any assistance. God bless, Genesius
Then the Exadata server hangs for ~10 minutes (except for TCP Keep-Alives) before the client
Any ideas what this means?
You may share images and, better yet, PCAP files on public share like Google Drive, Dropbox, etc.
Yes, please help us in helping you by providing (anonimized) pcap files on a public file share service.