First. I have a capture file yet to-be wrangled and uploaded here.
Second. Remote user is attempting to RDP to AzureVM as follows:
User(Laptop) ------ Internet VPN --------AzureFW--------AzureLB-----------RDPgateway-----------AzureVM
On some occasions user is unable to RDP to AzureVM, simply fails to connection.
Upon observing captures taken from source host (i.e. user laptop), I have noticed an array of TCP streams as follows:
- syn
- syn-ack
- ack
- fin-ack
- ack
- fin-ack
- ack
On each occasion the penultimate packet (fin-ack) is sent after 10-12sec from server side. The first fin-ack listed at point 4 above is client side, or client initiated.
I am struggling to understand why the first fin-ack followed by ack is not sufficient in terms of tearing down the connection and associated socket. The are some 19streams in the cap file all, and the conversation between this pair ending in the same way, a bit like a dead marriage with simply no future ..
I am also struggling to understand why there are so many short lived sessions here occurring between this particular client---server pair.