This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

All re-transmissions coming from a single source going in one direction.

0

WE have a very large enterprise application located in a data-center in Boston. Users are all over the State (WAN MPLS). In analyzing a WireSherk Trace at several clients, the source of all of the transmissions was a load balancer (software CISCO 6509) that front end three Apache servers that distribute the database request into a multi-tier environment. All the re-transmission are indeed retransmissions from this one load balance device (Cisco 6509E). The re-transmissions coming from this load-balancer represent about 1.5% of all the traffic in this capture. Does the fact that all these re-transmission are coming from a single device only and not coming back the other way mean that its the device itself rather than something along the way? If there was congestion along the way then then it would be seen in both directions.

alt text

asked 02 Oct '13, 16:52

Zoberist's gravatar image

Zoberist
0778
accept rate: 0%

1

Have you traced each leg between the 6509 and an example client? Does the client get the initial TCP message (and if not, between what two points in the network is it lost)? Does the client send an acknowledgement? Does the acknowledgement get to the 6509 (and if not, at what point is it lost)?

The fact that it is the one load balancer that is sending the retransmissions doesn't necessarily place the blame on the load balancer. I had a similar scenario recently actually where the cause was TCP sessions which would be completely idle without keepalives for hours, causing their sessions to clear from the state table of a firewall in between (causing retransmissions on one side when its mid-session packets were silently dropped in the middle, meanwhile the receiver never saw them).

That's just an example but the point is no, the fact that the 6509 is retransmitting doesn't mean it's the source of the problem. You need to trace it out and apply your understanding of the network topology at hand.

(02 Oct '13, 21:12) Quadratic

Thank you very much .... this is an excellent answer.

(03 Oct '13, 16:13) Zoberist