Why TCP RST happens from the server?

asked 2022-12-12 11:07:04 +0000

Arbaoui
1 ●2 ●1

updated 2022-12-13 06:57:40 +0000

11115 ●11 ●317 ●165 https://www.igt.com/

Hello For troubelshouting access to the website https://bac.onec.dz/ I used wirshark to analyze the traffic but I can not understand the problem of reset from server.

87.011281   10.10.104.12    bac.onec.dz TCP 66  0   1   0   128 54558 (54558)   54558 → https(443) [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
87.015826   bac.onec.dz 10.10.104.12    TCP 66  0   1   1   246 https (443) https(443) → 54558 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 WS=1 SACK_PERM=1
87.016027   10.10.104.12    bac.onec.dz TCP 54  1   1   1   128 54558 (54558)   54558 → https(443) [ACK] Seq=1 Ack=1 Win=262656 Len=0
87.017136   10.10.104.12    bac.onec.dz TLSv1.2 571 1   518 1   128 54558 (54558)   Client Hello
87.017887   bac.onec.dz 10.10.104.12    TCP 60  1   1   518 246 https (443) https(443) → 54558 [ACK] Seq=1 Ack=518 Win=26280 Len=0
87.120478   bac.onec.dz 10.10.104.12    TLSv1.2 1514    1   1461    518 246 https (443) Server Hello
87.120478   bac.onec.dz 10.10.104.12    TLSv1.2 629 1461    2036    518 246 https (443) Certificate, Server Key Exchange, Server Hello Done
87.120742   10.10.104.12    bac.onec.dz TCP 54  518 518 2036    128 54558 (54558)   54558 → https(443) [ACK] Seq=518 Ack=2036 Win=262656 Len=0
87.123929   10.10.104.12    bac.onec.dz TLSv1.2 180 518 644 2036    128 54558 (54558)   Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
87.127449   bac.onec.dz 10.10.104.12    TCP 60  2036    2036    644 246 https (443) https(443) → 54558 [ACK] Seq=2036 Ack=644 Win=15243 Len=0
87.129883   bac.onec.dz 10.10.104.12    TLSv1.2 105 2036    2087    644 246 https (443) Change Cipher Spec, Encrypted Handshake Message
87.130521   10.10.104.12    bac.onec.dz TLSv1.2 758 644 1348    2087    128 54558 (54558)   Application Data
87.135745   bac.onec.dz 10.10.104.12    TCP 60  2087    2087    1348    246 https (443) https(443) → 54558 [ACK] Seq=2087 Ack=1348 Win=15947 Len=0
91.134800   bac.onec.dz 10.10.104.12    TCP 60  2087    2087    1348    246 https (443) https(443) → 54558 [RST, ACK] Seq=2087 Ack=1348 Win=0 Len=0

edit retag flag offensive close merge delete

Comments

So the server or something in between, like a firewall (deep inspection), is aborting the communication after the client sends the first request.

It would help if you know what was send by the client. Did you generate the SSLKEYLOGFILE as well to decrypt? See https://wiki.wireshark.org/TLS

André ( 2022-12-12 17:52:07 +0000 )edit

thanks , yes i did and all seems fine

Arbaoui ( 2022-12-13 10:29:52 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2022-12-13 12:54:20 +0000

Arbaoui
1 ●2 ●1

I found it, by making firewall mode proxy inspection . thanks to all

edit flag offensive delete link

add a comment

answered 2022-12-13 09:57:43 +0000

SYN-bit

18528 ●9 ●338 ●255 https://SYN-b.it

The RST was sent pretty much exactly 4 seconds after receiving the request, this looks like a timeout of some sort on the server side. Do you get this RST on a specific page (I just tried opening the homepage myself and did not have any problems).

One thing I do notice (but not related to the RST) is that the site does not supply the Intermediate certificate, which means it won't be trusted by browsers that did not already cache this Intermediate by visiting others sites that use it. If you are the administrator of this site, please add a certificate chain to the server with the Intermediate certificate.

edit flag offensive delete link

Comments

Hi thank you for your reply I just have a problem with this site, and I'm not the website administrator

Arbaoui ( 2022-12-13 10:28:11 +0000 )edit

Any particular URL that you have a problem with? And is the problem persistent (ie do you always have that problem or just occasionally)?

SYN-bit ( 2022-12-13 10:33:33 +0000 )edit

No, I always have that problem from my PC but it works from a smartphone

Arbaoui ( 2022-12-13 10:38:56 +0000 )edit

add a comment