MSTSC to RDP gateway, 'short lived' streams observed

asked 2022-08-16 23:59:01 +0000

ajaznawaz gravatar image

updated 2022-08-17 14:58:53 +0000

First. I have a capture file yet to-be wrangled and uploaded here.

Second. Remote user is attempting to RDP to AzureVM as follows:

User(Laptop) ------ Internet VPN --------AzureFW--------AzureLB-----------RDPgateway-----------AzureVM

On some occasions user is unable to RDP to AzureVM, simply fails to connect.

Upon observing captures taken from source host (i.e. user laptop), I have noticed an array of TCP streams as follows:

  1. syn
  2. syn-ack
  3. ack
  4. fin-ack
  5. ack
  6. fin-ack
  7. ack

image description

On each occasion the penultimate packet (fin-ack) is sent after 10-12sec from VM side. The first fin-ack listed at point 4 above is client side, or client initiated. No data is transferred by either side.

I am struggling to understand why the first fin-ack followed by ack is not sufficient in terms of tearing down the connection and associated socket. There are some 19streams in the cap file where the conversation between this pair ends in the same way, a bit like a dead marriage with simply no future ..

I am also struggling to understand why there are so many short lived sessions here occurring between this particular pair with no exchange of data, seems rather inefficient use of resource !

edit retag flag offensive close merge delete


Link to wrangled capture file added herewith:!ApSvUszXYued31u3u...

ajaznawaz gravatar imageajaznawaz ( 2022-08-17 15:45:27 +0000 )edit