Ask Your Question
0

TCP RESET in windows server 2016

asked 2021-02-25 13:44:26 +0000

VijayP gravatar image

updated 2021-02-25 14:51:57 +0000

grahamb gravatar image

Hi Team, Server is sending TCP reset frequently and not sure the reason. we use windows server 2016 + windows NLB and it is vmnet3 network adapter of vmware. Please find the capture logs from client machine

No. Time    Delta   DeltaTCPCon DeltaFrom1stFrame   Source  Destination Protocol    TTL Seq No  Next Seq No ACK No  TCP Len Source Port Dest Port   Identification  Info
27944   2021-02-23 08:05:33.072669  1.188323000 0.000000000 0.000000000 CLIENT  SERVER  TCP 64  0   1   0   0   40656 (40656)   https (443) 0x32c4 (12996)  40656 → https(443) [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1497627054 TSecr=0 WS=128
27945   2021-02-23 08:05:33.073133  0.000464000 0.000464000 0.000464000 SERVER  CLIENT  TCP 128 0   1   1   0   https (443) 40656 (40656)   0x2791 (10129)  https(443) → 40656 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 TSval=1487099916 TSecr=1497627054
27946   2021-02-23 08:05:33.073178  0.000045000 0.000045000 0.000509000 CLIENT  SERVER  TCP 64  1   1   1   0   40656 (40656)   https (443) 0x32c5 (12997)  40656 → https(443) [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1497627054 TSecr=1487099916
27947   2021-02-23 08:05:33.073951  0.000773000 0.000773000 0.001282000 CLIENT  SERVER  TLSv1.2 64  1   208 1   207 40656 (40656)   https (443) 0x32c6 (12998)  Client Hello
27948   2021-02-23 08:05:33.096190  0.022239000 0.022239000 0.023521000 SERVER  CLIENT  TCP 128 1   1449    208 1448    https (443) 40656 (40656)   0x2792 (10130)  https(443) → 40656 [ACK] Seq=1 Ack=208 Win=2108160 Len=1448 TSval=1487099939 TSecr=1497627055 [TCP segment of a reassembled PDU]
27949   2021-02-23 08:05:33.096257  0.000067000 0.000067000 0.023588000 CLIENT  SERVER  TCP 64  208 208 1449    0   40656 (40656)   https (443) 0x32c7 (12999)  40656 → https(443) [ACK] Seq=208 Ack=1449 Win=32128 Len=0 TSval=1497627078 TSecr=1487099939
27950   2021-02-23 08:05:33.096295  0.000038000 0.000038000 0.023626000 SERVER  CLIENT  TCP 128 1449    2897    208 1448    https (443) 40656 (40656)   0x2793 (10131)  https(443) → 40656 [ACK] Seq=1449 Ack=208 Win=2108160 Len=1448 TSval=1487099939 TSecr=1497627055 [TCP segment of a reassembled PDU]
27951   2021-02-23 08:05:33.096306  0.000011000 0.000011000 0.023637000 CLIENT  SERVER  TCP 64  208 208 2897    0   40656 (40656)   https (443) 0x32c8 (13000)  40656 → https(443) [ACK] Seq=208 Ack=2897 Win=35072 Len=0 TSval=1497627078 TSecr=1487099939
27952   2021-02-23 08:05:33.096308  0.000002000 0.000002000 0.023639000 SERVER  CLIENT  TLSv1.2 128 2897    3785    208 888 https (443) 40656 (40656)   0x2794 (10132)  Server Hello, Certificate, Server Key Exchange, Server Hello Done
27953   2021-02-23 08:05:33.096315  0.000007000 0.000007000 0.023646000 CLIENT  SERVER  TCP 64  208 208 3785    0   40656 (40656)   https (443) 0x32c9 (13001)  40656 → https(443) [ACK] Seq=208 Ack=3785 Win=37888 Len=0 TSval=1497627078 TSecr=1487099939
27954   2021-02-23 08:05:33.104173  0.007858000 0.007858000 0.031504000 CLIENT  SERVER  TLSv1.2 ...
(more)
edit retag flag offensive close merge delete

Comments

Is it one client or many that have this issue?

Chuckc gravatar imageChuckc ( 2021-02-26 18:25:40 +0000 )edit

Many of the client have this issue but all intermittent. It doesn't happen always...

There is no packet drop or firewall block at client and sever level but not sure what happened..

VijayP gravatar imageVijayP ( 2021-02-26 20:24:01 +0000 )edit

It looks good right up till it isn't (server sends RST).
(Makes it through Step 7. in Establishing a Secure Session by Using TLS)
Are you getting schannel events in the Windows logs? Maybe increase the logging.

If you can share a packet capture it makes it easier to peer inside the back and forth of TLS.

Chuckc gravatar imageChuckc ( 2021-02-26 21:21:07 +0000 )edit

Thank you for your inputs.. let me check the above details.

In TCP RST,ACK packet wireshark warning says "group" 'sequence".

VijayP gravatar imageVijayP ( 2021-02-27 02:31:32 +0000 )edit

The User's Guide has a section on Expert Info entries.
It's possible to Customize the Wireshark Expert to reduce the serverity of RST.

Chuckc gravatar imageChuckc ( 2021-02-27 04:17:50 +0000 )edit

Again thank you for your inputs. is not about severity and all about client is complaining about abrupt RESET and need to get solid reason for this. Mostly of reset with window size 0 means sever cannot accept more request?

VijayP gravatar imageVijayP ( 2021-02-27 04:33:37 +0000 )edit

The window size in the ACK frame before the RST is Win=2107904 which is plenty of free space
The zero window on the RST means the server is done with the client - don't send any more data.
Try to find a log message or error code on the server to see why it decided the connection should not proceed.

Chuckc gravatar imageChuckc ( 2021-02-27 04:53:22 +0000 )edit

Thank you for you answer. I checked application related issues using the gudielines provided herehttps://docs.microsoft.com/en-us/.... also we donot have any firewall in middle. only middle man is windows NLB 2016

windows NLB routes distribute the traffic to two hosts by using single affinity and without extenended affinity timeout. still am not sure what is real cause of this . as there is no packet drops in the above mentioned packets.

Also i found noting useful in windows event logs for schannlel and windows NLB (it is already enabled)

VijayP gravatar imageVijayP ( 2021-03-01 13:40:21 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2021-03-01 12:51:51 +0000

hugo.vanderkooij gravatar image

RST packets are usually a sign of someone not wiulling to continue. This could be an application issue.

But Windows NLB can become a real night mare in some networks and I would try to avoid it at almost any cost.

edit flag offensive delete link more

Comments

Thank you for you answer. I checked application related issues using the gudielines provided herehttps://docs.microsoft.com/en-us/.... also we donot have any firewall in middle. only middle man is windows NLB 2016

windows NLB routes distribute the traffic to two hosts by using single affinity and without extenended affinity timeout. still am not sure what is real cause of this . as there is no packet drops in the above mentioned packets.

Also i found noting useful in windows event logs for schannlel and windows NLB (it is already enabled)

VijayP gravatar imageVijayP ( 2021-03-01 13:36:18 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-02-25 13:44:26 +0000

Seen: 248 times

Last updated: Mar 01