Ask Your Question
0

Web Forwarders frequently failing for some clients and not others

asked 2020-06-04 13:49:10 +0000

dyerseve gravatar image

When the problem exhibits itself, the client gets the common connection timed out from the web browser. I ran a capture focusing on the ip address that the forwarder resolves to and get a tcp handshake with a lot of retransmissions but I'm not seeing anything really jumping out at me to further troubleshoot. Other systems on the network can access the site without problems. I'm suspecting our firewall is monkeying with the packets but the problem seems to come and go and switch which systems are impacted.

capture: https://www.dropbox.com/s/6n5fbkifs3y...

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-06-06 02:39:09 +0000

Spooky gravatar image

Hi,

In the shared PCAP we are not seeing a complete TCP 3-way handshake.

Host 192.168.249.67 keeps trying to get a TCP connection going by sending TCP SYN segment to 184.168.131.241 but there is no SYN/ACK segment captured.

The "forwarder" (184.168.131.241) seems to be sending the TCP SYN/ACK back to host 192.168.249.67 but it is not seen. I base this assumption on seeing TCP RST after a few seconds which tells me that the "forwarder" itself is waiting for the final ACK from the host to complete the 3-way handshake but never gets it and gives up resetting the connection with TCP RST.

There are many reasons for this SYN/ACK to be missing. If there is a firewall then it would be best to capture on the host facing interface AND the "forwarder" (184.168.131.241) at the same time. This will tell you if the firewall is monkeying with the packets. Do keep in mind that there is likely a configuration inside the firewall responsible for this behavior.

Good luck,

Spooky

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-06-04 13:49:10 +0000

Seen: 189 times

Last updated: Jun 06 '20

Related questions

What could make a host to be sending arp asking for the mac address of almost al the hosts in the network

Continuously observing [TCP Previous segment not captured] , Ignored Unknown Record

Parsing back together TCP Packets

TCP Out-of-order by server and not Fast Retransmit

i need an admin to help if i can pm in any way

Help With understanding this file? [closed]

TCP analysis

ACK Byte Size vs. Sender's Window Size

TCP session ended early - missing client ACK?

Server ACK before Client ACK