Ask Your Question
0

SYN, ACK Failing for one client

asked 2018-07-12 15:00:33 +0000

bl0bby gravatar image

I have a mail server, 192.168.1.1 behind a NAT with the external address of 100.60.60.10. I send mail to a number of clients, and with most of them it works fine and a packet capture on the firewall looks like this:

1   0.000000    192.168.1.1     140.160.150.90  TCP 76  49970→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635951574 TSecr=0 WS=128
2   0.000183    100.60.60.10    140.160.150.90  TCP 76  49970→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635951574 TSecr=0 WS=128
3   0.030467    140.160.150.90  100.60.60.10    TCP 76  25→49970 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 TSval=2682612338 TSecr=635951574 SACK_PERM=1
4   0.030548    140.160.150.90  192.168.1.1 TCP 76  25→49970 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 TSval=2682612338 TSecr=635951574 SACK_PERM=1

I have one client, however, where the handshake fails. I never get the fourth step where the SYN, ACK gets to my mail server's internal IP, instead I get a retransmission:

1   0.000000    192.168.1.1     200.150.150.100 TCP 76  47014→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635968811 TSecr=0 WS=128
2   0.000194    100.60.60.10    200.150.150.100 TCP 76  47014→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635968811 TSecr=0 WS=128
3   0.053761    200.150.150.100 100.60.60.10    TCP 76  25→47014 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=64 SACK_PERM=1 TSval=774073979 TSecr=635968811
4   3.004628    192.168.1.1     200.150.150.100 TCP 76  [TCP Retransmission] 47014→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635971816 TSecr=0 WS=128

The only difference I can see between the two is that the Win value is much higher in the one which fails, and there is a WS=64 entry which is not present in the successful handshake. Does this indicate that his mail server is sending something which my firewall can't deal with? Any help is much appreciated!

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2018-07-12 18:19:32 +0000

bl0bby gravatar image

Resolved: There was no problem which the packets would indicate; there was a blocklist with a rule which was dropping all traffic from the remote host.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2018-07-12 15:00:33 +0000

Seen: 48 times

Last updated: Jul 12