This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HTTP 100 Continue not received triggering a FIN

0

HI, I am facing a very strange issue. After a successful TCP Handshake, client sends an HTTP Request. Server received it, and responded with a HTTP 100 Continue and right after with a HTPP 200 OK.

But on the client, the Continue doesn't arrive. Instead, only a TCP packet arrives acknowledging the fist HTTP request with the right SEQ,ACK. (The normal flow would be receiving the HTTP 100 with the right SEQ,ACK).

Client then waits for 1sec and sends a FYN, which is correctly negotiated with the server.

This cycle continues for 5 or so rounds, until finally the Continue arrives and the client gets the right info from the server.

I suspect something on the network (WAAS or FW) are tampering with the packets.

How can i troubleshoot?

asked 07 Oct '12, 10:58

ctxsvc's gravatar image

ctxsvc
31224
accept rate: 33%


3 Answers:

0

It was the Cisco WAAS, we disabled it and HTTP didnt fail.

we dont know what was the WAAS doing though.

answered 12 Oct '12, 15:23

ctxsvc's gravatar image

ctxsvc
31224
accept rate: 33%

0

Ideally you would have to capture from the server and client side and compare traces

answered 07 Oct '12, 11:54

thetechfirm's gravatar image

thetechfirm
64116
accept rate: 0%

HI thetechfirm,

thanks for the reply.

That is what i did, i compared the traces on the laptop and on the server. That is how i know HTTP responses are leaving the server but not reaching the client laptop.

My problem, i think, is that there are so many devices in the middle that i loose visibility.

I know that packets arrive to the server with a Public IP, and that could be a Cisco FW or ASA doing NATs and who knows what else.

brgrds

(07 Oct '12, 12:08) ctxsvc

0

You'll need to move your capture point along the path until you find the device that's dropping or modifying packets. Continue to capture at the server, but move your downstream capture point from the laptop towards the server one device at a time. As soon as you see that all the HTTP 100 Continue packets that leave the server are captured at the other capture point, you know that you've just moved upstream of the device that's dropping the packets.

When you think you've found the responsible device, confirm by capturing on each side of that device.

answered 07 Oct '12, 12:30

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

HI Jim,

totally agree. I will start placing laptops closer to the server.

From your experience, what is a good way to set this up in an enterprise cisco environent? Putting a PC running wireshark connected to the destination port of a SPAN session configured on a switch or its variants ( RSPAN and ERSPAN)?

Any other good tool? I heard Riverbed has a TurboPCAP network card on some software too.

brgrds

(07 Oct '12, 13:42) ctxsvc

I agree with Jim.

(07 Oct '12, 13:49) thetechfirm