Ask Your Question
0

TCP Reset Cisco 3850

asked 2019-04-04 20:54:02 +0000

cpocket gravatar image

Hello, (I would upload a pic or some files but I need 60 points I guess)

I'm having some communication issues between two PBXs. I setup a couple of laptops and captured at both ends. In going through capture I noticed something interesting. Please confirm if I'm reading this correctly and maybe help me understand what would cause this on the switch.

The source shows it’s coming from 10.181.21.6 which is the phone server on the other side of my WAN which is I believe 4 hops away from 10.182.5.2. When I look at the header it shows TTL 254 see second screenshot. This tells me this packet was only routed once. There’s no way it came from 4 hops away. So if you look at the mac address of the source you will see it’s 70:10:5C:De:75:f7 which is my core 3850 switch on that same subnet. To me the reset was produced by this SVI somehow. Maybe I’m wrong if so please explain how I’m wrong or explain how this is possible? The reverse is also true of the other capture the source of the reset shows it’s the IP of my phone server sitting on the 10.182.5.0 subnet but looking at the reset packet itself the TTL is only 254 again so to me it looks like it’s being generated from the SVI on the 3850 in my Datacenter.

edit retag flag offensive close merge delete

Comments

You can post the capture files on a public share (Google Drive, Drop Box etc.) and then edit your question with a link to the files.

grahamb gravatar imagegrahamb ( 2019-04-04 21:12:15 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2019-04-07 22:33:12 +0000

SYN-bit gravatar image

If the IP TTL of the TCP/RST packet is 254, it is most likely not sent from the SVI of the 3850 switch, as it would have had an IP TTL of 64, 128 or 255. Assuming the packet was sent with a default IP TTL of either 64, 128 or 255, receiving it with an IP TTL of 254 means it was most likely sent by a device one hop upstream from the 3850.

My bet would be that it was a Loadbalancer or a Firewall that had a session timeout and therefor closed the connection to both sides with a TCP/RST.

edit flag offensive delete link more

Comments

Hello, thanks for the response. There is no FW, IPS or loadbalancer in between these two locations. This is all private metro e. Now maybe the provider has something that's causing this which I'm looking into. However, the router for these locations is more than 1 hop away. Due to this I is what leads me to the conclusion about the 3850. Cisco TAC thinks it's a timeout issue or like you said something in between but with such a short TTL my only thought is that switch. I'm by no means a WS expert so is it possible TTL could be incorrect in my capture?

cpocket gravatar imagecpocket ( 2019-04-08 19:15:22 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-04-04 20:54:02 +0000

Seen: 401 times

Last updated: Apr 07 '19

Related questions

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

Help to read this trace

Random Flooding of TCP Retransmissions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

how to create a graph of the number of active tcp connections over time?

how can I graph mysql response time in wireshark

Is it possible that wireshark doesn't recognize protocol?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2