Mangled LDAP response

edit

I have a domain connected client that accesses 2 Windows DCs via site to site VPN. Having issues where the client cannot complete LDAP requests to access network shares etc. When running an LDAP query (via PortQry) in Wireshark for the affected client to one of the DCs I get output below. However if I direct the query to the other DC on the same remote subnet, it works fine. To further complicate this if I perform the same query from another client at the same site over the VPN to both DCs, it works fine.

I've tuned/verified the operation of the site to site VPN (MTU size etc) and given I have a client that works fine to both DCs so I don't believe it's the VPN I've check both the affected client and DC to ensure it's not using an odd MTU - both are as expected I've enabled/disabled both Windows Firewall and 3rd party AVs on both sides - no change

Can anyone suggest anything further to look at or give a fully explanation of the output attached?

Frame 642: 385 bytes on wire (3080 bits), 385 bytes captured (3080 bits) on interface \Device\NPF_{AA02D7D0-E0EE-4000-A447-8FB420844136}, id 0
Ethernet II, Src: ZyxelCom_5f:8c:3f (xx:xx:xx:xx:xx:xx), Dst: Dell_11:7e:f9 (xx:xx:xx:xx:xx:xx)
Internet Protocol Version 4, Src: 192.168.xx.xx, Dst: 192.168.xx.xx
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x02 (DSCP: CS0, ECN: ECT(0))
    Total Length: 371
    Identification: 0x0e26 (3622)
    010. .... = Flags: 0x2, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 124
    Protocol: TCP (6)
    Header Checksum: 0x3bf7 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.xx.xx
    Destination Address: 192.168.xx.xx
Transmission Control Protocol, Src Port: 389, Dst Port: 10265, Seq: 2683, Ack: 74, Len: 331
    Source Port: 389
    Destination Port: 10265
    [Stream index: 3]
    [Conversation completeness: Complete, WITH_DATA (47)]
    [TCP Segment Len: 331]
    Sequence Number: 2683    (relative sequence number)
    Sequence Number (raw): 1568904190
    [Next Sequence Number: 3014    (relative sequence number)]
    Acknowledgment Number: 74    (relative ack number)
    Acknowledgment number (raw): 950015891
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
    Window: 514
    [Calculated window size: 131584]
    [Window size scaling factor: 256]
    Checksum: 0x92e3 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    [Timestamps]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 639]
        [The RTT to ACK the segment was: 0.040845000 seconds]
        [iRTT: 0.036853000 seconds]
        [TCP Analysis Flags]
            [Expert Info (Warning/Sequence): Previous segment(s) not captured (common at capture start)]
                [Previous segment(s) not captured (common at capture start)]
                [Severity level: Warning]
                [Group: Sequence]
    TCP payload (331 bytes)
    [PDU Size: 48]
    [PDU Size: 54]
    [PDU Size: 51]
Lightweight Directory Access Protocol
    LDAPMessage
        BER Error: Wrong field in SEQUENCE: expected class:UNIVERSAL(0) tag:2(INTEGER) but found class:UNIVERSAL(0) tag:17
            [Expert Info (Warning/Malformed): BER Error ...