Revision history [back]

Hello. I have a micro service running in AWS ECS (docker) which is querying an Active Directory LDAP server over an AWS Privatelink in another AWS account.

Recently I was looking at the traffic between the micro service and the LDAP server to understand some problems the micro service was reporting. Since then we have addressed the original problem with the micro service trying to use connections that had been torn down already. While capturing packets to address the original problem i noticed that every single connection from the micro service to the LDAP server resulted in some TCP Retransmissions and TCP Duplicate ACKs.

While I am under the hood so to speak i want to get to the bottom of this problem ... if in fact it is one. I have attached a redacted screen shot of a few connections from the micro service to the LDAP server. The players here are 172.17.0.4 - micro service (running in docker container) 10.52.37.72 - eth0 on the EC2 instance that the docker container is running on. 172.17.0.4 is on a bridge interface of 10.52.37.72. 10.52.37.24 - The IP we use to communicate with the LDAP server. The LDAP server is on the other side of 10.52.37.24 and it's controlled by a different org in my company.

What i'm not sure about here is if a problem actually exists here or if wireshark makes me think a problem exists because I am capturing the packets on the EC2 instance and those packets are going through 2 interfaces on the host. Does wireshark see the traffic from the docker bridge interface over the actual eth0 interface as duplicates and retransmissions?

If this packet capture does represent an actual problem i'm not sure where to go next. From some reading up on this it seems that the fact that the ip identification is the same and the packet TTL is decrementing would indicate a routing problem of some sort. Anyhoo i was hoping someone could tell me if this looks like an actual problem or not? The application in question is still suffering from some problems but based on what i am seeing on the wire i think the problems are related to the logic in the application and it not handling valid LDAP failures gracefully. Previously a true problem did exist that i could see on the wire but now i'm not sure if the current state of things has anything to do with the network itself.

TIA. G.

Hello. I have a micro service running in AWS ECS (docker) which is querying an Active Directory LDAP server over an AWS Privatelink in another AWS account.

Recently I was looking at the traffic between the micro service and the LDAP server to understand some problems the micro service was reporting. Since then we have addressed the original problem with the micro service trying to use connections that had been torn down already. While capturing packets to address the original problem i noticed that every single connection from the micro service to the LDAP server resulted in some TCP Retransmissions and TCP Duplicate ACKs.

While I am under the hood so to speak i want to get to the bottom of this problem ... if in fact it is one. I have attached a redacted screen shot of a few connections from the micro service to the LDAP server. The players here are 172.17.0.4 - micro service (running in docker container) 10.52.37.72 - eth0 on the EC2 instance that the docker container is running on. 172.17.0.4 is on a bridge interface of 10.52.37.72. 10.52.37.24 - The IP we use to communicate with the LDAP server. The LDAP server is on the other side of 10.52.37.24 and it's controlled by a different org in my company.

What i'm not sure about here is if a problem actually exists here or if wireshark makes me think a problem exists because I am capturing the packets on the EC2 instance and those packets are going through 2 interfaces on the host. Does wireshark see the traffic from the docker bridge interface over the actual eth0 interface as duplicates and retransmissions?

If this packet capture does represent an actual problem i'm not sure where to go next. From some reading up on this it seems that the fact that the ip identification is the same and the packet TTL is decrementing would indicate a routing problem of some sort. Anyhoo i was hoping someone could tell me if this looks like an actual problem or not? The application in question is still suffering from some problems but based on what i am seeing on the wire i think the problems are related to the logic in the application and it not handling valid LDAP failures gracefully. Previously a true problem did exist that i could see on the wire but now i'm not sure if the current state of things has anything to do with the network itself.

TIA. G.

G. The supporting image is here https://pasteboard.co/IUp2bof.png