This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MTU size on Windows machine caused retransmissions and eventual hang.

0
                          FIREWALL 
                        (Shorewall,                      <---------->192.168.0.21 [Linux]
  DSL Modem--->eth0<===> dnsmasq)  <==>eth1<===> 16-PORT <---------->192.168.0.22 [Win7]
                       192.168.0.1                HUB    <---------->192.168.0.xx [Linux]
                         [Debian]  <==>wlan0 -----------------------> misc.

From the configuration above, and the Wireshark output below, please tell me what's going on with the Win7 box at 192..22.

The Linux boxes work fine with SSH, SCP and the web. Oddly, no problem on the Win7 box with GMAIL. Other websites are slow (if they even load) on Win7 ONLY. If you enter a URL manually for Firefox on Win7, it will load a page fine.

1   0   '==internet=='  192.168.0.22            TCP62   62  https > 52701 [SYN, ACK] Seq=0 Ack=1 Win=8190 Len=0 MSS=1460 WS=64
2   0.000373    192.168.0.22    '=internet='    TCP60   60  52701 > https [ACK] Seq=1 Ack=1 Win=16425 Len=0
3   0.000997    192.168.0.22    '=internet='    TLSv1   266 Client Hello
4   0.069747    '==internet=='  192.168.0.22    TCP54       [TCP Window Update] https > 52701 [ACK] Seq=1 Ack=1 Win=8128 Len=0
5   0.072857    '==internet=='  192.168.0.22    TCP54       http https > 52701 [ACK] Seq=1 Ack=213 Win=6912 Len=0
6   0.074068    '==internet=='  192.168.0.22    TLSv1   187 Server Hello, Change Cipher Spec, Encrypted Handshake Message
7   0.075121    192.168.0.22    '=internet='    TLSv1   101 Change Cipher Spec, Encrypted Handshake Message
8   0.075999    192.168.0.22    '=internet='    TLSv1   1441  Application Data
9   0.15997 '==internet=='  192.168.0.22        TCP54       http https > 52701 [ACK] Seq=134 Ack=1647 Win=9728 Len=0
10  0.250439    '==internet=='   192.168.0.22   TLSv1   363 [TCP Previous segment not captured] Ignored Unknown Record
11  0.251382    192.168.0.22    '=internet='    TCP60       [TCP Dup ACK 8#1] 52701 > https [ACK] Seq=1647 Ack=134 Win=16391 Len=0
12  0.274499    '==internet=='   192.168.0.22   TLSv1   1103    [TCP Previous segment not captured] Ignored Unknown Record
13  0.275628    192.168.0.22    '=internet='    TCP60       [TCP Dup ACK 8#2] 52701 > https [ACK] Seq=1647 Ack=134 Win=16391 Len=0
 . . .
29  0.390888    192.168.0.22    '=internet='    TCP60       [TCP Dup ACK 8#10] 52701 > https [ACK] Seq=1647 Ack=134 Win=16391 Len=0
30  0.399005    '==internet=='   192.168.0.22   TLSv1   1103    [TCP Retransmission] Ignored Unknown Record

asked 09 Feb '14, 12:05

kirby's gravatar image

kirby
0225
accept rate: 0%

edited 11 Feb '14, 14:12

grahamb's gravatar image

grahamb ♦
19.8k330206

Your question title mentiones http but the trace shows https. Based on the timing values (0.4 seconds) I don't see a general problem. So, what exactly is your problem/question?

(09 Feb '14, 12:33) Kurt Knochner ♦

@kirby

No need to modify the question title to add [Solved], accepting the answer informs other users that the question has been answered.

(11 Feb '14, 14:13) grahamb ♦

One Answer:

2

The problem is that the client never ACKs higher than 134. Note that the largest tcp,len of inbound packets is 1443.

Looking at the - missing - packets in shark-kd.pcapng it's clear that none of the full sized 1460 MSS segments make it to the client and the server never reduces the MTU size (which it normally would if PMTUD would work). So the server is retransmitting the 1460 segments to no avail. alt text

This is an example where PMTU discovery is not working correctly and the MSS is not adjusted to the real end to end available MTU size.

My suggestion would be to reduce the MTU size on your Win7 interface to 1484 to avoid this problem

answered 10 Feb '14, 22:14

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 11 Feb '14, 10:49

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

Thanks mrEEde! Win7's MTU was the problem.

(11 Feb '14, 10:34) kirby

It the question is answered, please "accept" the answer so it can be closed, thanks!

(11 Feb '14, 10:44) mrEEde

I don't see an "accept" button.

BTW MS has a page on PMTU:

(11 Feb '14, 11:02) kirby