This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

This is from a customer, cannot send the whole log. One side is our communications device, another is Windows Server 2008.

http://imgur.com/gxpolJ3

This happens very rarely, but we see it.

Windows replies with '2470', seq is 1 instead of 0, and it is ACK instead of SYN-ACK, and it acks a packet that is never seen (not in all the previous communication either). This packet is repeated as if Windows sees duplicates. RST is ignored. The device retries and finally succeeds. Any idea what is wrong?

asked 22 Feb '13, 09:54

IoT's gravatar image

IoT
6114
accept rate: 0%

edited 22 Feb '13, 10:00

Thank you! Lets see, here is what happens:

1. Device>  SYN // device starts a handshake
2. Windows< ACK // ?? Should be SYN-ACK. Also, ack seq is a bad number
3. Device>  RST // Device did not understands and it resets
4. Device>  SYN // device retries an attempt
5. Windows< ACK // ?? Sees it again, but it is even a duplicate of 2. 
                //     as if there was a duplicate packet from device 
6. Device>  RST // Device did not understands and it resets

I would assume Windows would reset if it could not service the connection, instead the device resets - because it gets ACK instead of SYN-ACK.....

By the way the wireshark is taken at Windows side. Any further comments?

(22 Feb '13, 11:58) IoT

Looking at your image, all sessions that fail are from port 1598 (I looked up picknfs in the services file). Then the session that does succeed is from port 1601 (again from the services file). So it looks like a device between you and the server was having a problem with traffic from port 1598 at the time.

I have seen this behavior with a Cisco ASA firewall running old software. But it could be a problem on any device that keeps track of sessions (Firewall, Loadbalancer, Proxy, etc.). What kind of devices are in the path?

permanent link

answered 22 Feb '13, 23:30

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I got the answer from the customer representative: the Windows server (that gives bad replies) has Windows Firewall and it also has Symantec Endpoint Protection. He will attempt to try disabling these. And here is the [whole chunk in cloudshark][1] http://www.cloudshark.org/captures/6be79d094391

(23 Feb '13, 10:02) IoT
1

I'm confused. Would anyone care to speculate why, in frames 3, 6, 9, 12, and 15, the RST packet claims to be both FROM and TO IP address 72.237.119.107, whereas the MAC addresses correspond to packets that are FROM 192.168.1.2 and TO 72.237.119.107, as does the IP TTL? Is this just an intermediate device that's completely mangling the packets?

(23 Feb '13, 17:23) Jim Aragon

Wow, this is big, and I did not notice this. Thank you!

(23 Feb '13, 22:55) IoT
1

How are these networks connected? I notice that the round trip time is very high--well over 700 ms--even for the successful connection, and we seem to be going through some sort of DigiBoard device.

(24 Feb '13, 09:36) Jim Aragon

Thank you very much Jim - I just learned that our engineers identified a firmware bug that led to this behavior. Fyi, this is an over-the-air mesh network in the area of smart metering. Devices from different vendors are involved.

(25 Feb '13, 11:25) IoT

This looks like a typical case of where the application decides to refuse a session based on some setting it has. This is usually something like "only allow clients from a subnet like w.x.y.z" - the SYN comes in, and the TCP stack tells the application about it while it already acknowledges the SYN on it's own. The application realizes that it doesn't like the connection from that source IP and shuts it down by closing the socket - which results in a reset.

In your case the connection works after a while, so the criteria can't be the source IP. But maybe there is some "maximum concurrent sessions" setting in the application, and it will only allow the new connection after an older one has finished and/or has timed out. Sometimes FTP server do something like this to avoid having too many connections, but they ususaly do it within the application flow, not on kinda rude socket behavior.

Check if there is a limitation of any kind on the device that sends the reset. If there isn't any (meaning: someone other than you tells your there isn't any ;-)) you should try to verify this. I would capture the connections after a restart of the server and start counting concurrent sessions, which you can do with Wireshark conversation stastistics by looking at start and duration times.

Oh, and by the way, the RST is not "ignored". The client just tries a new connection attempt by sending another SYN.

permanent link

answered 22 Feb '13, 11:03

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you very much! I will have to wait until Monday. I will also ask if it is possible to post the whole shark.

(23 Feb '13, 01:57) IoT
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×139
×55
×44

question asked: 22 Feb '13, 09:54

question was seen: 5,645 times

last updated: 25 Feb '13, 11:25

p​o​w​e​r​e​d by O​S​Q​A