This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dropped TCP ACK or dropped TCP SYN, ACK

0

I have a web server with 10 IP Addresses and about 10,000 clients. Every couple of months I will get one client that can't connect to one IP Address. All other clients can connect and the one client having trouble with the one IP Address can connect to call the other IP Addresses on the server. The problem last for a couple of months and clears on it's own.

The packet capture shows one client to server SYN, a couple of server to client SYN, ACK's, then a server to client RST, and finally a "A segment before this frame wasn't captured." It seems like the client's ACK is not getting to the server for the one IP Address.

There are no firewalls that are blocking by IP Address. Is there anything other than a firewall that would cause this?

Maybe the source is not receiving the SYN, ACK from the destination. The packet capture shows the source sending the same SYN sequence number about 10 times. I guess we would have to run the packet capture on both ends to see.

asked 04 Feb '13, 07:18

Steve1's gravatar image

Steve1
1112
accept rate: 0%

edited 04 Feb '13, 09:01


One Answer:

0

As always, having a packet capture to look at will make it much easier to help you solve this issue. If you can upload a capture file to www.cloudshark.org and post the link here, that would be great.

You describe a capture, I assume it has been made on the client itself? You also state that the source (client) sends SYNs with the same sequence number. Does every SYN result in a SYN/ACK from the server? What is the mac-address in the SYN/ACK? Are the IP and TCP checksums correct (you can enable checksum verification in the IP and TCP protocol preferences).

answered 04 Feb '13, 15:28

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%