Hi,
I am troubleshooting an issue with an POS\Restaurant application that is hanging and has slow performance. Vendor had me send the a packet capture from one of the terminals. They are saying it looks like the firewall is causing the disconnects with the hosted system, but for troubleshooting we have firewall wide open. Can someone take a look at the following stream and let me know if it looks like the firewall would be causing an issue? To me, it looks like the terminal (10.215.50.101) is sending the RST after the communication was ended with a FIN packet and the server tried to send Encrypted Alert. I'm just not the greatest at Analysis.
- 10.215.50.101 64.79.134.26 TCP 66 61398 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256
- 10.215.50.101 64.79.134.26 TCP 66 61398 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256
- 10.215.50.101 64.79.134.26 TCP 54 61398 → 443 [ACK] Seq=1 Ack=1 Win=66048 Len=0
- 10.215.50.101 64.79.134.26 TLSv1.2 426 Client Hello
- 64.79.134.26 10.215.50.101 TCP 60 443 → 61398 [ACK] Seq=1 Ack=373 Win=15872 Len=0
- 64.79.134.26 10.215.50.101 TLSv1.2 163 Server Hello, Change Cipher Spec, Encrypted Handshake
- 10.215.50.101 64.79.134.26 TLSv1.2 575 Change Cipher Spec, Encrypted Handshake Message
- 64.79.134.26 10.215.50.101 TCP 60 443 → 61398 [ACK] Seq=110 Ack=894 Win=16896 Len=0
- 10.215.50.101 64.79.134.26 TLSv1.2 464 Application Data
- 64.79.134.26 10.215.50.101 TCP 60 443 → 61398 [ACK] Seq=110 Ack=1304 Win=17920 Len=0
- 64.79.134.26 10.215.50.101 TLSv1.2 436 Application Data
- 64.79.134.26 10.215.50.101 TLSv1.2 612 Application Data
- 10.215.50.101 64.79.134.26 TCP 54 61398 → 443 [ACK] Seq=1304 Ack=1050 Win=65024 Len=0
- 10.215.50.101 64.79.134.26 TCP 54 61398 → 443 [FIN, ACK] Seq=1304 Ack=1050 Win=65024 Len=0
- 64.79.134.26 10.215.50.101 TLSv1.2 85 Encrypted Alert
- 10.215.50.101 64.79.134.26 TCP 54 61398 → 443 [RST, ACK] Seq=1305 Ack=1081 Win=0 Len=0
- 64.79.134.26 10.215.50.101 TCP 60 443 → 61398 [FIN, ACK] Seq=1081 Ack=1305 Win=17920 Len=0
Thanks in advance!
