Ask Your Question

Revision history [back]

{RST, ACK} ports 61820 >28130

Hello,

I have a server (pmdvportal) that is attempting to connect every 5 seconds or so to port 28130 on the destination server. The destination server is behind a firewall. We have opened all traffic between the 2.... or so we think we have. According to the tap, I see the below:

Does this look like a possible Firewall issue? Firewall team states all traffic opened, but this tap looks like a Firewall block to an inexperienced Wireshark pup. Any direction would be very helpful!

29 0.087309 10.203.205.210 pmdvportal UDP 54 58970 → ms-wbt-server(3389) Len=12

34 0.404535 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data

35 0.414060 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=52 Win=62965 Len=0

107 1.420160 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data

108 1.429832 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=103 Win=62914 Len=0

152 2.435784 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data

153 2.446383 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=154 Win=62863 Len=0

188 3.451392 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data

189 3.462132 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=205 Win=62812 Len=0

216 4.467042 pmdvportal 10.203.205.210 TLSv1.2 105 Application Data

217 4.477283 10.203.205.210 pmdvportal TCP 54 49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=256 Win=64240 Len=0

241 5.094947 pmdvportal 10.203.205.210 TCP 62 61773 → 28130 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

242 5.094985 10.203.205.210 pmdvportal TCP 62 28130 → 61773 [SYN, ACK, ECN] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1

243 5.095196 pmdvportal 10.203.205.210 TCP 60 61773 → 28130 [ACK] Seq=1 Ack=1 Win=64240 Len=0

244 5.095225 pmdvportal 10.203.205.210 TLSv1.2 126 Ignored Unknown Record

245 5.095226 pmdvportal 10.203.205.210 TLSv1.2 75 Ignored Unknown Record

246 5.095236 10.203.205.210 pmdvportal TCP 54 28130 → 61773 [ACK] Seq=1 Ack=94 Win=64240 Len=0 247 5.095436 10.203.205.210 pmdvportal TCP 55 [TCP segment of a reassembled PDU]

248 5.095757 pmdvportal 10.203.205.210 TLSv1.2 230 Client Hello

249 5.097430 10.203.205.210 pmdvportal TLSv1.2 1277 Server Hello, Certificate, Server Key Exchange, Server Hello Done

250 5.098518 pmdvportal 10.203.205.210 TLSv1.2 147 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

251 5.099144 10.203.205.210 pmdvportal TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message

252 5.102626 pmdvportal 10.203.205.210 TLSv1.2 84 Application Data

253 5.102685 10.203.205.210 pmdvportal TLSv1.2 84 Application Data

254 5.113036 pmdvportal 10.203.205.210 TCP 1514 61773 → 28130 [ACK] Seq=393 Ack=1306 Win=62935 Len=1460 [TCP segment of a reassembled PDU]

255 5.113057 pmdvportal 10.203.205.210 TLSv1.2 589 Application Data

256 5.113061 10.203.205.210 pmdvportal TCP 54 28130 → 61773 [ACK] Seq=1306 Ack=2388 Win=64240 Len=0

257 5.113451 10.203.205.210 pmdvportal TLSv1.2 408 Application Data

258 5.119754 pmdvportal 10.203.205.210 TCP 60 61773 → 28130 [RST, ACK] Seq=2388 Ack=1660 Win=0 Len=0

click to hide/show revision 2
None

updated 2020-05-15 15:17:25 +0000

grahamb gravatar image

{RST, ACK} ports 61820 >28130

Hello,

I have a server (pmdvportal) that is attempting to connect every 5 seconds or so to port 28130 on the destination server. The destination server is behind a firewall. We have opened all traffic between the 2.... or so we think we have. According to the tap, I see the below:

Does this look like a possible Firewall issue? Firewall team states all traffic opened, but this tap looks like a Firewall block to an inexperienced Wireshark pup. Any direction would be very helpful!

29  0.087309    10.203.205.210  pmdvportal  UDP 54  58970 → ms-wbt-server(3389) Len=12
 
Len=12
34  0.404535    pmdvportal  10.203.205.210  TLSv1.2 105 Application Data
 
Data
35  0.414060    10.203.205.210  pmdvportal  TCP 54  49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=52 Win=62965 Len=0
 
Len=0
107 1.420160    pmdvportal  10.203.205.210  TLSv1.2 105 Application Data
 
Data
108 1.429832    10.203.205.210  pmdvportal  TCP 54  49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=103 Win=62914 Len=0
 
Len=0
152 2.435784    pmdvportal  10.203.205.210  TLSv1.2 105 Application Data
 
Data
153 2.446383    10.203.205.210  pmdvportal  TCP 54  49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=154 Win=62863 Len=0
 
Len=0
188 3.451392    pmdvportal  10.203.205.210  TLSv1.2 105 Application Data
 
Data
189 3.462132    10.203.205.210  pmdvportal  TCP 54  49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=205 Win=62812 Len=0
 
Len=0
216 4.467042    pmdvportal  10.203.205.210  TLSv1.2 105 Application Data
 
Data
217 4.477283    10.203.205.210  pmdvportal  TCP 54  49744 → ms-wbt-server(3389) [ACK] Seq=1 Ack=256 Win=64240 Len=0
 
Len=0
241 5.094947    pmdvportal  10.203.205.210  TCP 62  61773 → 28130 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
 
SACK_PERM=1
242 5.094985    10.203.205.210  pmdvportal  TCP 62  28130 → 61773 [SYN, ACK, ECN] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1
 
SACK_PERM=1
243 5.095196    pmdvportal  10.203.205.210  TCP 60  61773 → 28130 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 
Len=0
244 5.095225    pmdvportal  10.203.205.210  TLSv1.2 126 Ignored Unknown Record
 
Record
245 5.095226    pmdvportal  10.203.205.210  TLSv1.2 75  Ignored Unknown Record
 
Record
246 5.095236    10.203.205.210  pmdvportal  TCP 54  28130 → 61773 [ACK] Seq=1 Ack=94 Win=64240 Len=0
247 5.095436    10.203.205.210  pmdvportal  TCP 55  [TCP segment of a reassembled PDU]
 
PDU]
248 5.095757    pmdvportal  10.203.205.210  TLSv1.2 230 Client Hello
 
Hello
249 5.097430    10.203.205.210  pmdvportal  TLSv1.2 1277    Server Hello, Certificate, Server Key Exchange, Server Hello Done
 
Done
250 5.098518    pmdvportal  10.203.205.210  TLSv1.2 147 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
 
Message
251 5.099144    10.203.205.210  pmdvportal  TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
 
Message
252 5.102626    pmdvportal  10.203.205.210  TLSv1.2 84  Application Data
 
Data
253 5.102685    10.203.205.210  pmdvportal  TLSv1.2 84  Application Data
 
Data
254 5.113036    pmdvportal  10.203.205.210  TCP 1514    61773 → 28130 [ACK] Seq=393 Ack=1306 Win=62935 Len=1460 [TCP segment of a reassembled PDU]
 
PDU]
255 5.113057    pmdvportal  10.203.205.210  TLSv1.2 589 Application Data
 
Data
256 5.113061    10.203.205.210  pmdvportal  TCP 54  28130 → 61773 [ACK] Seq=1306 Ack=2388 Win=64240 Len=0
 
Len=0
257 5.113451    10.203.205.210  pmdvportal  TLSv1.2 408 Application Data
 
258 Data
**258   5.119754    pmdvportal  10.203.205.210  TCP 60  61773 → 28130 [RST, ACK] Seq=2388 Ack=1660 Win=0 Len=0
Len=0**
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2