Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

SYN, ACK Failing for one client

I have a mail server, 192.168.1.1 behind a NAT with the external address of 100.60.60.10. I send mail to a number of clients, and with most of them it works fine and a packet capture on the firewall looks like this:

1   0.000000    192.168.1.1     140.160.150.90  TCP 76  49970→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635951574 TSecr=0 WS=128
2   0.000183    100.60.60.10    140.160.150.90  TCP 76  49970→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635951574 TSecr=0 WS=128
3   0.030467    140.160.150.90  100.60.60.10    TCP 76  25→49970 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 TSval=2682612338 TSecr=635951574 SACK_PERM=1
4   0.030548    140.160.150.90  192.168.1.1 TCP 76  25→49970 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 TSval=2682612338 TSecr=635951574 SACK_PERM=1

I have one client, however, where the handshake fails. I never get the fourth step where the SYN, ACK gets to my mail server's internal IP, instead I get a retransmission:

1   0.000000    192.168.1.1     200.150.150.100 TCP 76  47014→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635968811 TSecr=0 WS=128
2   0.000194    100.60.60.10    200.150.150.100 TCP 76  47014→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635968811 TSecr=0 WS=128
3   0.053761    200.150.150.100 100.60.60.10    TCP 76  25→47014 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=64 SACK_PERM=1 TSval=774073979 TSecr=635968811
4   3.004628    192.168.1.1     200.150.150.100 TCP 76  [TCP Retransmission] 47014→25 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=635971816 TSecr=0 WS=128

The only difference I can see between the two is that the Win value is much higher in the one which fails, and there is a WS=64 entry which is not present in the successful handshake. Does this indicate that his mail server is sending something which my firewall can't deal with? Any help is much appreciated!