TCP Retransmission after SYN, ACK

asked 2020-12-09 15:57:10 +0000

updated 2020-12-09 17:17:58 +0000

Hello Wireshark Experts,

I have a Problem where the TCP Connection to a Server is interrupted in short times. I see the Syn the Syn,ACK and after Syn, Ack I see a TCP Retransmission of the SYN Flag 2 times and after the 2nd SYN Retransmission I see SYN,ACK Retransmission. After that the TCP Traffic sometimes "flows" again and sometimes it ends with a RST Flag sent from the Client. Sometimes the Client sends the RST Flag after 2 TCP SYN Retransmissions from Client are received and 2 TCP SYN,ACK Retransmissions are sent from the Server.

Here you can see an example capture of the server trace. image description

edited: I think now that the first Syn, Ack Flag never made it to the Client. I see this most of the time during 3 Way Handshake. Can someone explain what could cause this behaviour?

In the middle of some TCP Streams I also see multiple RST,ACKs from the same source IP with different TTL Values. 1st RST,ACK TTL 61 2nd to 9th RST,ACK TTL 126 and last RST,ACK TTL of 125

Where was the capture made - client, server, other?

Chuckc ( 2020-12-09 16:33:28 +0000 )

the capture was made on the server

fly_agaric ( 2020-12-09 16:34:36 +0000 )

Can you provide a capture file for the frames in the picture? Makes it easier than typing in the data for a response.
The additional comment about TTL and the symptoms of the connection - have you ruled out duplicate IP addresses?

Chuckc ( 2020-12-09 17:29:50 +0000 )

Here you can see the anonymized tracefile: Trace File is the Client and is the Server. The Tracefile was captured on the server.

fly_agaric ( 2020-12-09 18:25:38 +0000 )

Can you make a capture at the client?
- The server didn't send any RST packets, did the client receive any?
- Are the RST packets the server is receiving being sent from the client?

Chuckc ( 2020-12-10 02:27:09 +0000 )

1 Answer

answered 2020-12-24 12:13:05 +0000

fly_agaric

A Firmware of the Firewall helped. Since the upgrade everything is working.

Asked: 2020-12-09 15:57:10 +0000

Seen: 237 times

Last updated: Dec 24 '20