Ask Your Question
0

TCP Retransmissions after [FIN, ACK] same tcp stream

asked 2020-10-12 17:46:10 +0000

fly_agaric gravatar image

Hello Guys,

I have a Problem where the user accesses a web server. You see the data in the web browser growing and growing after like 30 seconds Firefox displays a error message: Error: Connection interrupted After the server sends a [FIN, ACK] in Frame 96116 the server somehow tries to send data after FIN, ACK flag in Frame 96242, 97271, 99425, 102162 and 108154 in the same tcp stream. Can someone tell me whats the reason behind this and is this the problem which I'm facing?

image description

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2020-10-12 18:04:31 +0000

Chuckc gravatar image

updated 2020-10-13 03:57:34 +0000

[FIN, ACK] sending without getting prior [FIN] from counter part

The server didn't receive an ACK to 96116. The retransmissions are requests to ACK the FIN/ACK.
Finally in 117547 the server resets the connection.

In this screenshot a bogus route was added to the server so packets could not get back to the client.
Capture is done on the server side.
After 5 seconds of inactivity (frames 40-41), the server tries to close connection.
The FIN/ACK never gets to client so there is no ACK back to server. Frames 42,43,44 are server asking again.

image description

edit flag offensive delete link more

Comments

Ok the strange thing is that I have 2 capture files one from server and one from client. The 5 TCP Retransmissions shows up on both sides.

fly_agaric gravatar imagefly_agaric ( 2020-10-12 18:19:05 +0000 )edit

That just means the network didn't drop any packets for that period.
You mentioned Firefox - what version?

Chuckc gravatar imageChuckc ( 2020-10-12 18:53:55 +0000 )edit

Firefox 81.0 (32-bit)

fly_agaric gravatar imagefly_agaric ( 2020-10-12 19:27:57 +0000 )edit

Have you tested with a different browser?

Chuckc gravatar imageChuckc ( 2020-10-12 20:12:32 +0000 )edit

yes i have tested with IE11, Chrome and Edge with every browser its the same

fly_agaric gravatar imagefly_agaric ( 2020-10-12 20:27:54 +0000 )edit
0

answered 2020-10-13 10:04:06 +0000

hugo.vanderkooij gravatar image

It seems rather odd. As both system are in different subnets there is something connecting these two networks. This could be a statefull firewall doing things a bit odd. Or a router with ACL's that might be causing this.

Do you see the same issue if you are on a the same network as the webserver?

edit flag offensive delete link more

Comments

yes i moved my client to the server vlan but the issue persists

fly_agaric gravatar imagefly_agaric ( 2020-10-13 16:04:00 +0000 )edit
0

answered 2020-10-13 11:00:40 +0000

SYN-bit gravatar image

In frame 117548, the client responds to the RST in frame 117547. From the ACK (13685090) it can be deducted that the clients TCP stack never saw the FIN packets (with the phantom byte) and therefor the SEQ of the RST is out-of-window (it expects a SEQ of 13685090 instead of 13685091).

You said in a trace on the client the FIN packets are visible. Analysis of the SEQ/ACK numbers on the client side might give insight of what is happening. If the SEQ/ACK numbers are the same on the clientside, then something between the capture point on the client side and the TCP stack is causing the problem.

Are you able to share the client- and serverside packet captures on a public fileshare? If there is sensitive information in there, you can use TraceWrangler to anonimize the capture files.

edit flag offensive delete link more

Comments

I have uploaded the client trace. I issued a ping command -n 1 when the problem happend. For some reason I cannot anonymize the server trace. It was captured with netsh trace start in windows. Download Client Trace

fly_agaric gravatar imagefly_agaric ( 2020-10-13 16:25:28 +0000 )edit

No there is no proxy in between but the AV may be causing the problems. A feature of our AV does interfere with HTTP Traffic. I tried to add the website to the exclude list but it does not have any effect instead disable the av temporary makes the difference.

fly_agaric gravatar imagefly_agaric ( 2020-10-17 19:07:56 +0000 )edit

OK, with the AV disabled it works, then I would say you'll need to file a bug-report to the AV vendor. Glad you were able to find the root-cause!

SYN-bit gravatar imageSYN-bit ( 2020-10-20 08:48:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-10-12 17:46:10 +0000

Seen: 4,760 times

Last updated: Oct 17 '20