TCP SYN, SYN ACK followed by RST
Hi, I need help figuring out why the client responds with a RST in this case. Packet capture can be accessed at this link: https://egnyte.egnyte.com/dl/H0fTXIoAjW
I have confirmed that it is indeed the client sending a RST. Packet capture on the client end shows that it is sending the RST. It doesn't look like a firewall or some middleman is involved.
Any help will be appreciated. Thank you!
The capture above was done at the server? Can you upload a capture from the client end?
Have you looked at the SYN-ACK when it reached the client?
Is the client a load-balancer doing health-checks?
A capture from the client end can be found here: https://egnyte.egnyte.com/dl/0LjT2UQCEl
I have looked at the SYN-ACK. Apart from a source destination mismatch between the SYN and SYN-ACK packet, I did not find anything interesting.
@SYN-bit No the client is an smb client.
Something in the middle is changing the TCP MSS from 1460 down to 1380 when it reaches the server.
The server responds with a MSS of 1380 which arrives at the client as 1380.
The MAC address difference looks like the client is sending to a VRRP address and the responses are coming back from a HP MAC address (for one of the interfaces on the default gateway?).
I'm not sure if or which of the above two would be enough for the client to send the RST.