Hi. I'm doing an analysis on a network and while doing a capture from client's end I found out that all TCP connections end with reset packets. The network looks like: Client - Firewall - Load balancer(+SSL acceleration) - Server So when I'm capturing traffic from a client I see that the TCP traffic is flowing fine and client ACKs packet's normally. After the last segment is ACKed nothing happens for a ~5 seconds and then the rest of the connection always goes like this: SERVER sends 'Encrypted alert'-packet SERVER sends FIN,ACK CLIENT sends ACK CLIENT sends 'Encrypted alert'-packet CLIENT sends RST,ACK So my questions is: Is this normal behavior or could there be something wrong with the configuration. Any help is appreciated. -Rakki asked 12 Nov '12, 02:21  rakki |
One Answer:
RST used to be a flag that indicated a session termination due to trouble, but in the last couple of years the RST flag is more and more used to shutdown sessions that had no trouble at all. Mostly because it is faster than FIN-ACK-FIN-ACK, and it releases the stack ressources right away while FIN might lead to a TIME-WAIT state. So I'd say seeing reset packets at the end of a conversation is pretty normal. answered 12 Nov '12, 02:59  Jasper ♦♦ |
Thanks, Jasper for the info. So you would also say that the 5 seconds delay before this happens is also normal?
Why can't it do this right away after the last ACK is received?
That is usually a result of the systems keeping the connection open in case on of the nodes has another request. After a timeout one (or both) nodes decide to tear down the connection since there doesn't seem to be the need for further data transfers in that session.