Hi, My TN3270 printer server sometimes disconnect from IBM communication server. Printer server IP is 10.100.12.105, communication server IP is 10.99.16.22. The server TCP port is 2023. The communication server will sent PSH,ACK to printer server every 20 seconds if no data sent to printer server to print, and the printer server will sent ACK to communication server. I used Wireshark to capture traffic at printer server side and communication server side ( these packet capture not at the same time ). At the printer server side, after the printer server sent ACK to communication server ( No.35865 ), the communication server stop to send PSH,ACK to printer server.
At the communication server side, we can see the last PSH,ACK ( No.98926 ) have sent, but received 2 packets ( No,98932, RST & No.98976, Ack ) The packet No.98976 seems normal packets sent from print server, but the packet No.98932 arrived at communication server before No.98976, cause the TCP connection reset, then communication server never sent PSH,ACK to printer server. My question is What is the “Broken TCP. The acknowledge field is nonzero while the ack flag is not set” mean? Why the packet No.98932 generated and received by communication server? Best Regards, Jackson asked 26 Feb '13, 23:56  Jackson |
One Answer:
The message means that although the ACK flag is not set, the ACK field is non-zero. This is a violation on the TCP RFC. It does happen regularly on packets with the RST bit set, so in your case it is not really a problem. What is a problem is that you see a RST packet on one side and not on the other side of the connection. So you might want to investigate that further. Have a look at the mac-addresses and the IP TTL to see whether you can determine who is sending the RST. It might be a firewall in between? answered 27 Feb '13, 00:42  SYN-bit ♦♦ |
Hi,
The print server and communication server at 2 different layer 3 VLANs in same Cisco Catalyst 6509, no firewall or ACL in between.
I found the TTL for the RST packet is 63, and the TTL for normal ACK packet is 127. The source MAC address of both packet are the same ( Cisco Catalyst 6509 MAC address )
Do you mean maybe someone ( not real printer server ) spoof the IP of print server and sent RST to communication server? I tried to capture traffic for print server's VLAN to analyze it, but this VLAN very big ( almost 2000 devices ). Please advise me how to troubleshooting this problem?
Best Regards,
Jackson
I would rather say the IP stack implementation of the printer server is buggy. What is the OS of that server?
Regards
Kurt
Hi,
The print server OS is WIN XP, running TN3270 software.
The communication between print server and communication server was ok before 3 weeks ago, we have not change any network structure or change the print / communication server OS & comfiguration.
How to verify if the problem is at print server or communication server IP stack and how to solve it?
Best Regards,
Jackson