Is [TCP segment of a reassembled PDU] an issue?
Is [TCP segment of a reassembled PDU] an issue? I have am seeing a TLS handshake packet [ClientHello] coming in, with the [ACK]going out followed by 4 packets from the server with a len of 2788 (these have the [TCP segment of reassembled PDU] tag) that upstream is being split into 8 packets (also with the [TCP segment of reassembled PDU] tag) of 1424 each followed by a combined TLS handshake paket with [ServerHello, Certificate, ServerKeyExchange, CertificateRequest, ServerHelloDone] all in the same packet (len 1295).
In some cases, we are seeing a [FIN,ACK] return from the client instead of the expected [Certificate, ClientKeyExchange, CertificateVerify, ChangeCipherSpec, EncryptedHandshakeMessage].
Appreciate any insight that can be offered!
Can you share the PCAP? Also be aware that if you capture on the server you may see larger packet as the NIC will do the repacking.
I recall a bug in the Cisco where a ServerHello of more then 4096 failed in the Cisco Content Switch. But that one has been fixed over a dozen years ago. But sometimes a client may not expect a specific feature the Server wants and close the handshake.
But seing a good and a bad example might share some light on this.