This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

All TCP connections end with RST

0

Hi. I'm doing an analysis on a network and while doing a capture from client's end I found out that all TCP connections end with reset packets.

The network looks like: Client - Firewall - Load balancer(+SSL acceleration) - Server

So when I'm capturing traffic from a client I see that the TCP traffic is flowing fine and client ACKs packet's normally. After the last segment is ACKed nothing happens for a ~5 seconds and then the rest of the connection always goes like this:


SERVER sends 'Encrypted alert'-packet

SERVER sends FIN,ACK

CLIENT sends ACK

CLIENT sends 'Encrypted alert'-packet

CLIENT sends RST,ACK


So my questions is: Is this normal behavior or could there be something wrong with the configuration. Any help is appreciated.

-Rakki

asked 12 Nov '12, 02:21

rakki's gravatar image

rakki
0558
accept rate: 0%


One Answer:

2

RST used to be a flag that indicated a session termination due to trouble, but in the last couple of years the RST flag is more and more used to shutdown sessions that had no trouble at all. Mostly because it is faster than FIN-ACK-FIN-ACK, and it releases the stack ressources right away while FIN might lead to a TIME-WAIT state.

So I'd say seeing reset packets at the end of a conversation is pretty normal.

answered 12 Nov '12, 02:59

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks, Jasper for the info. So you would also say that the 5 seconds delay before this happens is also normal?

Why can't it do this right away after the last ACK is received?

(12 Nov '12, 03:06) rakki

That is usually a result of the systems keeping the connection open in case on of the nodes has another request. After a timeout one (or both) nodes decide to tear down the connection since there doesn't seem to be the need for further data transfers in that session.

(12 Nov '12, 04:38) Jasper ♦♦