Hi all,
I'm troubleshooting random resets happening occasionally during FTP data transfer when users are transferring mostly large video files to our FTP server which is behind a firewall.
I have made captures on user machines as well on the firewall and I think that some device on the path is resetting the data transfer based on the TTL I'm seeing in the captures.
Here is the text from reset packets since I can't seem to upload images. I removed the public IP of the server for security.
User side - packets before reset
From the FTP server
Frame 153780: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface \Device\NPF_{2E0B0549-D9FE-4565-87F6-BB3B8FB3CFF7}, id 0 Ethernet II, Src: HuaweiTe_b5:d8:12 (24:31:54:b5:d8:12), Dst: 6e:57:4b:ff:b2:bd (6e:57:4b:ff:b2:bd) Internet Protocol Version 4, Src: x.x.x.x, Dst: 192.168.8.100 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 40 Identification: 0x69ca (27082) Flags: 0x40, Don't fragment Fragment Offset: 0 Time to Live: 122 Protocol: TCP (6) Header Checksum: 0x300f [validation disabled] [Header checksum status: Unverified] Source Address: x.x.x.x Destination Address: 192.168.8.100 Transmission Control Protocol, Src Port: 57013, Dst Port: 50580, Seq: 1, Ack: 136511960, Len: 0
From the client PC
Frame 153781: 1434 bytes on wire (11472 bits), 1434 bytes captured (11472 bits) on interface \Device\NPF_{2E0B0549-D9FE-4565-87F6-BB3B8FB3CFF7}, id 0 Ethernet II, Src: 6e:57:4b:ff:b2:bd (6e:57:4b:ff:b2:bd), Dst: HuaweiTe_b5:d8:12 (24:31:54:b5:d8:12) Internet Protocol Version 4, Src: 192.168.8.100, Dst: x.x.x.x 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 1420 Identification: 0xe80f (59407) Flags: 0x40, Don't fragment Fragment Offset: 0 Time to Live: 128 Protocol: TCP (6) Header Checksum: 0xa665 [validation disabled] [Header checksum status: Unverified] Source Address: 192.168.8.100 Destination Address: x.x.x.x Transmission Control Protocol, Src Port: 50580, Dst Port: 57013, Seq: 136521620, Ack: 1, Len: 1380 FTP Data (1380 bytes data) [Setup frame: 24] [Setup method: PASV] [Command: STOR SLM_6519.MOV] Command frame: 28 [Current working directory: /pixsell]
User side - reset packet 1
Frame 153785: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface \Device\NPF_{2E0B0549-D9FE-4565-87F6-BB3B8FB3CFF7}, id 0 Ethernet II, Src: HuaweiTe_b5:d8:12 (24:31:54:b5:d8:12), Dst: 6e:57:4b:ff:b2:bd (6e:57:4b:ff:b2:bd) Internet Protocol Version 4, Src: x.x.x.x, Dst: 192.168.8.100 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 40 Identification: 0x5f9a (24474) Flags: 0x40, Don't fragment Fragment Offset: 0 Time to Live: 252 Protocol: TCP (6) Header Checksum: 0xb83e [validation disabled] [Header checksum status: Unverified] Source Address: x.x.x.x Destination Address: 192.168.8.100 Transmission Control Protocol, Src Port: 21, Dst Port: 50579, Seq: 332, Ack: 115, Len: 0
User side - reset packet 2
Frame 153786: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface \Device\NPF_{2E0B0549-D9FE-4565-87F6-BB3B8FB3CFF7}, id 0 Ethernet II, Src: HuaweiTe_b5:d8:12 (24:31:54:b5:d8:12), Dst: 6e:57:4b:ff:b2:bd (6e:57:4b:ff:b2:bd) Internet Protocol Version 4, Src: x.x.x.x, Dst: 192.168.8.100 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 40 Identification: 0xa096 (41110) Flags: 0x00 Fragment Offset: 0 Time to Live: 251 Protocol: TCP (6) Header Checksum: 0xb842 [validation disabled] [Header checksum status: Unverified] Source Address: x.x.x.x Destination Address: 192.168.8.100 Transmission Control Protocol, Src Port: 57013, Dst Port: 50580, Seq: 1, Ack: 136518860, Len: 0
User side - reset packet 3
Frame 153787: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface \Device\NPF_{2E0B0549-D9FE-4565-87F6-BB3B8FB3CFF7}, id 0 Ethernet II, Src: HuaweiTe_b5:d8:12 (24:31:54:b5:d8:12), Dst: 6e:57:4b:ff:b2:bd (6e:57:4b:ff:b2:bd) Internet Protocol Version 4, Src: x.x.x.x, Dst: 192.168.8.100 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 40 Identification: 0x3b28 (15144) Flags: 0x40, Don't fragment Fragment Offset: 0 Time to Live: 252 Protocol: TCP (6) Header Checksum: 0xdcb0 [validation disabled] [Header checksum status: Unverified] Source Address: x.x.x.x Destination Address: 192.168.8.100 Transmission Control Protocol, Src Port: 57013, Dst Port: 50580, Seq: 1, Ack: 136525760, Len: 0
Firewall side
Frame 544: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) Ethernet II, Src: JuniperN_84:ef:b0 (08:81:f4:84:ef:b0), Dst: Cisco_8a:2b:4e (00:fd:22:8a:2b:4e) Internet Protocol Version 4, Src: 95.168.118.16, Dst: x.x.x.x 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 40 Identification: 0x5f99 (24473) Flags: 0x40, Don't fragment Fragment Offset: 0 Time to Live: 121 Protocol: TCP (6) Header Checksum: 0x2e94 [validation disabled] [Header checksum status: Unverified] Source Address: 95.168.118.16 Destination Address: x.x.x.x Transmission Control Protocol, Src Port: 50579, Dst Port: 21, Seq: 1, Ack: 1, Len: 0
Is my analysis correct that some other device along the path is resetting the connection based on the TTL od 251 and 252 I see on the reset packets on the user side instead of the usual TTL of 122 in the previous packets?