Ask Your Question

TCP Retransmission after SYN, ACK

asked 2020-12-09 15:57:10 +0000

fly_agaric gravatar image

updated 2020-12-09 17:17:58 +0000

Hello Wireshark Experts,

I have a Problem where the TCP Connection to a Server is interrupted in short times. I see the Syn the Syn,ACK and after Syn, Ack I see a TCP Retransmission of the SYN Flag 2 times and after the 2nd SYN Retransmission I see SYN,ACK Retransmission. After that the TCP Traffic sometimes "flows" again and sometimes it ends with a RST Flag sent from the Client. Sometimes the Client sends the RST Flag after 2 TCP SYN Retransmissions from Client are received and 2 TCP SYN,ACK Retransmissions are sent from the Server.

Here you can see an example capture of the server trace. image description

edited: I think now that the first Syn, Ack Flag never made it to the Client. I see this most of the time during 3 Way Handshake. Can someone explain what could cause this behaviour?

In the middle of some TCP Streams I also see multiple RST,ACKs from the same source IP with different TTL Values. 1st RST,ACK TTL 61 2nd to 9th RST,ACK TTL 126 and last RST,ACK TTL of 125

edit retag flag offensive close merge delete


Where was the capture made - client, server, other?

Chuckc gravatar imageChuckc ( 2020-12-09 16:33:28 +0000 )edit

the capture was made on the server

fly_agaric gravatar imagefly_agaric ( 2020-12-09 16:34:36 +0000 )edit

Can you provide a capture file for the frames in the picture? Makes it easier than typing in the data for a response.
The additional comment about TTL and the symptoms of the connection - have you ruled out duplicate IP addresses?

Chuckc gravatar imageChuckc ( 2020-12-09 17:29:50 +0000 )edit

Here you can see the anonymized tracefile: Trace File is the Client and is the Server. The Tracefile was captured on the server.

fly_agaric gravatar imagefly_agaric ( 2020-12-09 18:25:38 +0000 )edit

Can you make a capture at the client?
- The server didn't send any RST packets, did the client receive any?
- Are the RST packets the server is receiving being sent from the client?

Chuckc gravatar imageChuckc ( 2020-12-10 02:27:09 +0000 )edit

I have uploaded a trace from the server called server and a trace from the switchport where the opposite firewall to external is connected. Tracefiles Switchport Firewall and Server There is a Tracefile called mirror_switchport_anon where " eq 456" exists with matches " eq 308" in Tracefile called server_1090_anon.

According to the initial TTL i guess that there are 3 Routers in between Server and Client. I recorded the packets from our Switchport where the VPN-Firewall/Router from external company is connected. There I can see the 2nd SYN,ACK Packet from the TCP Stream which I mentioned above. So that means that our network is not the fault right? If the packet is dropped its dropped somewhere near the external company.

fly_agaric gravatar imagefly_agaric ( 2020-12-10 10:34:28 +0000 )edit

Can you capture on the client.
In mirror_switchport_anon.pcapng, why did client not respond to frame 22208, timeout for 22207 expired then resent the SYN in 22209?

Chuckc gravatar imageChuckc ( 2020-12-10 15:30:17 +0000 )edit

I talked with the guy who manages the other routers in between and we will try a firmware upgrade first then if it still fails they will capture directly on the client.

fly_agaric gravatar imagefly_agaric ( 2020-12-11 22:28:25 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-12-24 12:13:05 +0000

fly_agaric gravatar image

A Firmware of the Firewall helped. Since the upgrade everything is working.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-12-09 15:57:10 +0000

Seen: 2,643 times

Last updated: Dec 24 '20