I see packets coming from an IP lets just say 192.168.1.47 that authenticate to a webserver with no problem. I see all the correct traffic. I however have another IP 192.168.1.30 that worked in the AM of said day. In the afternoon the same connection is trying to be made I see in Wireshark [TCP Retransmission] [TCP Port numbers reused] and the client fails to get logged into the site. The browser says "Can't reach this page". All routes and traffic are working as expected. I see the "TCP Port numbers reused" at every failure. How can I look into what is causing the reused ports? I asked the users how they login and out of the site and they said to me that they usually login and let the session time out. However that morning when I started the initial packet captures I had the user 1 login and try it. It was successful. I had him logout because were not going to test till later in the day. That way I got a full capture of connect and disconnect. Later that afternoon I was testing and his session continued to work. While sitting there testing with this user 1 I say those messages go by with [TCP Port numbers reused]. I asked user 1 if someone else was there and using the site. He said yes and I asked if it failed to login in and I got a yes. I asked the user 1 if user 2 was using CATS in the morning and let it timeout. He said that user 2 was using the site in the morning and let it timeout. Can this cause this type of issue when their sessions timeout instead of getting closed manually and correctly? What controls the ports that are being reused. The ports are going to a https site (443) which will never change. The origination ports are the ports that are being reused. The site destination ip ends in 66. Can anyone validate or put holes in my theory of them not logging out correctly?
