TCP SYN, SYN ACK followed by RST

asked 2019-11-14 20:32:39 +0000

Hi, I need help figuring out why the client responds with a RST in this case. Packet capture can be accessed at this link: https://egnyte.egnyte.com/dl/H0fTXIoAjW

I have confirmed that it is indeed the client sending a RST. Packet capture on the client end shows that it is sending the RST. It doesn't look like a firewall or some middleman is involved.

Any help will be appreciated. Thank you!

edit retag flag offensive close merge delete

Comments

The capture above was done at the server? Can you upload a capture from the client end?
Have you looked at the SYN-ACK when it reached the client?

bubbasnmp gravatar imagebubbasnmp ( 2019-11-14 21:31:30 +0000 )edit

Is the client a load-balancer doing health-checks?

SYN-bit gravatar imageSYN-bit ( 2019-11-14 22:28:44 +0000 )edit

A capture from the client end can be found here: https://egnyte.egnyte.com/dl/0LjT2UQCEl

I have looked at the SYN-ACK. Apart from a source destination mismatch between the SYN and SYN-ACK packet, I did not find anything interesting.

smbnoob gravatar imagesmbnoob ( 2019-11-18 19:36:35 +0000 )edit

@SYN-bit No the client is an smb client.

smbnoob gravatar imagesmbnoob ( 2019-11-18 19:49:42 +0000 )edit

Something in the middle is changing the TCP MSS from 1460 down to 1380 when it reaches the server.
The server responds with a MSS of 1380 which arrives at the client as 1380.

The MAC address difference looks like the client is sending to a VRRP address and the responses are coming back from a HP MAC address (for one of the interfaces on the default gateway?).

I'm not sure if or which of the above two would be enough for the client to send the RST.

bubbasnmp gravatar imagebubbasnmp ( 2019-11-18 22:47:05 +0000 )edit