Spurious retransmits, TCP RST, and duplicate ACK

asked 2020-08-25 18:54:02 +0000

StoleSursum gravatar image

I apologize in advance if this is not the correct forum. We have an issue at a third-party vendor where that issue is only repeatable on their network. I would like to post more information but wanted to make sure this is the proper forum for doing so.

I've been using Wireshark for a while now and it is an invaluable tool. In this scenario, I'm using WireShark, Burp Proxy, and Fiddler 4 to ascertain why we see spurious retransmits and TCP Resets going to one particular external URL.

I have removed all the variables except for one common denominator. For example, to the point of spinning up a vanilla Windows 10 VDI - in a Workgroup (No AD Domain Membership), bypassing the web proxy, and prior to antivirus.

It only happens on the vendor's network. In the WireShark you can see the spurious retransmits, dup ack, and client-side you can see the 404 and 503 errors that are a direct result of packets not returning to the client (VDI).

The vendor themselves can repeat those results and it is only when going to a single website: www.dubaitrade.ae

You would see the HTTP GET's and so forth but then the spurious retransmits, dup ack, and TCP resets. There is a Big IP F5 external LB VIP to dubaitrade.ae. It appears to happen when referring the traffic to cachefly.net and vice versa.

However, only on this network. From any internet connection elsewhere the site works perfectly fine. It is actually contained only to that network and this leads me to believe that something on that specific network is disrupting the traffic.

I've provided the Wiresharks, Fiddler 4, Burp Proxy data and lined it all out from initial HTTP 200 to retransmits, resets, the TCP Flows, and basically handed them everything needed but for 6 weeks they are unable to find the problem on their network.

In the interim, our internal users are having to use dedicated machines and home internet connections but we are dealing with sensitive data. I have 100% of the users in Citrix and two active/active data centers connected by dark fiber.

I'm getting nothing back from the vendor (hosted data center) as to why this only happens on their network.

Every other website on the planet works fine except for this one specific website and it only happens on that network. They own the equipment and network, hypervisor (ESX), and it is leased hardware. We own everything top of the stack such as Windows, Linux, Citrix, et cetera.

I'm not sure what else I can give them to prove it is their problem.

I contemplated cloudshark.io but it is simply too expensive for this one problem. I'm hoping someone can point me in the right direction as to an alternative solution where I can upload the PCAPNG's (while maintaining privacy) or engage others willing to help and look at this issue. It is ... (more)

edit retag flag offensive close merge delete



If the traces contain sensitive information, then uploading them somewhere would not count as "maintainng privacy". You could anonymize the pcapng files before uploading with [Tracewrangler] and then upload them to OneDrive, Dropbox, Google Drive or any other cloud storage that you might have access to.


SYN-bit gravatar imageSYN-bit ( 2020-08-25 20:58:48 +0000 )edit