Help with a TCP Reset Issue
Hi Guys,
This is my first post on here so please advise if I am leaving anything out, and thank you in advance.
Some background:
We are hosting a Remote Application on a Windows 2012 Server using a Windows 2012 Gateway utilising UDP RDP where possible. We have about 30 customer application servers all using the same Virtual Machine server template with the same Application and Windows Gateway server configuration and all 30 customers share the same proxy server. We use a Cisco ASA 5500-X Firewall - we have approximately 250 concurrent users connected however one customer often experiences RDP disconnects affecting all of their office users
No other customers experience these disconnects so I concluded it must be on their end and asked for them to perform a packet capture on their firewall, they agreed and sent me a pcap showing various 'RST' and 'RST, ACK' originating from my firewall. I checked the TTL value and it's consistent with previous packets so I am certain it did come from my Firewall, however during the disconnect there are a whole bunch of 'FIN, ACK' 'RST ACK' and 'RST' coming from mostly my side.
I can then see their Firewall trying to initiate a 'SYN' but my firewall responding with a 'RST, ACK'. From my limited knowledge I checked the Port number it was trying to connect to - '443' now I am certain this port was open as all other customers were connected and we had no other customers complain.
There is a large block of constant SYN > RST, ACK until finally my Firewall connects and responds with a SYN, ACK.
When their RDP disconnections occurred the first noticeable packet is a 'RST, ACK' sent from my Firewall to their Firewall, then there is a storm of RST, ACK, FIN, ACK and SYN's occur.
Has anyone seen this before, I am sure you have and what further information do you need from me?
Thanks
Can you provide the packet capture? See https://blog.packet-foo.com/2016/11/t... if you need to sanitize the packets first.
Hi Jasper,
Thanks for link - I have cleaned up the pcap file but not sure how to trim it down - the disconnect occurred around 15:42:15 - if you scroll down to that time you will begin to see all the interesting packets.
https://drive.google.com/open?id=1nGm...
Just to clarify - this PCAP is from he customers Firewall on their external Interface.
Hi Jasper,
Thanks for link - I have cleaned up the pcap file but not sure how to trim it down - the disconnect occurred around 15:42:15 - if you scroll down to that time you will begin to see all the interesting packets.
https://drive.google.com/open?id=1nGm...
Just to clarify - this PCAP is from he customers Firewall on their external Interface.
@FabCan´ms I have converted your answer to a comment. As it is more a comment.
Thank you Christian_R, you can delete it actually as it's a double post now, you can delete this comment too after just to tidy it up, many thanks.