This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Http failure indicated by the user

0

https://www.cloudshark.org/captures/c80a58e1dccb To start with; the one server is the inside on the network and the others is in DMZ 2 a firewall separates them. I have a user complaining that from time to time they lose connection to and http session, But there no indication of a http upload disconnection. Is seeing in the three way handshake, but I also see a bunch of NOPS, through the trace, but everything looks good. One retransmission, I read some that the NOPS are like keep-aivers because of the firewall time-out options, but I also have learned that 4 NOPS in a row is options removed by the firewall. Can someone take a look and let me know what you thank. The trace looks good to me from what I can tell.

Thanks

asked 19 May '13, 16:18

Ernest%20Johnson's gravatar image

Ernest Johnson
266612
accept rate: 0%


One Answer:

1

Four NOPs in a row in a SYN packet is not a good thing, because it usually means that a device has removed TCP options by replacing them with NOPs. It would be a good idea to reconfigure the Firewall not to touch the TCP options.

Also, there seems to be packet loss in frame 132, which is retransmitted in frame 133, but your capture was made before the location where it was lost. As far as I can tell all that lost packet costs you are about 200ms.

The only reset packet is packet #2 but since there is only an additional FIN packet right before it it looks just like normal session termination. I guess if you can manage to fix the four NOP issue things will run much smoother.

answered 19 May '13, 18:56

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks you Jasper, what would you recomend we bo to fix the firewall to not touch the NOPS ?

(19 May '13, 19:20) Ernest Johnson

what is your firewall brand?

(20 May '13, 03:35) Kurt Knochner ♦