This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have an issue where I have VMware hosts that are connected to 2 switches (not connected to each other at this point) that are connected to a Fortigate firewall w/ a software switch. The software switch has VLAN interfaces that serve as the default gateway for the associated networks.

For traffic between the networks I am seeing many, many TCP errors of out-of-order, dup ack and retransmissions.

Example:

VM1 sends an LDAP syn to VM2. I immediately get three out-of-order errors, then a syn, ack from VM2 to VM1, followed by three more out-of-order errors. This also occurs with the errors being retransmissions and dup acks.

Thoughts?

asked 22 Apr '14, 12:22

tim5700's gravatar image

tim5700
2111
accept rate: 0%


Thoughts?

Sounds like you are capturing the frames twice, which confuses Wireshark. Please add more details about your setup and where you actually captured the frames.

BTW: What kind of 'software switch' are you using? Is this a VMware vSwitch or something different?

Regards
Kurt

permanent link

answered 23 Apr '14, 12:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

My servers at this location are all VMware guests. My VMware hosts are connected to 1 Cisco 3750-x stack w/ two members and a Cisco 3850 stack w/ two members.

The two Cisco stacks are not trunked to one another. There is a Fortigate 1500D that both stacks connect to. The Fortigate contains the software switch I am referring. Within the Fortigate, there are multiple VLAN interfaces with IP addresses. Then the Fortigate's internal routing takes care of inter-subnet connectivity.

The packet capture in question was taken directly from the Fortigate.

(23 Apr '14, 12:14) tim5700

Like this?

VM -- Cisco -- [VLAN If] Fortinet [VLAN If] --- Cisco -- VM

Furthermore:

The packet capture in question was taken directly from the Fortigate.

can you please capture within the VMs or even better on a mirror port of the switch and then compare the results?

(23 Apr '14, 12:21) Kurt Knochner ♦

This is resolved.

In my packet captures I was really focused in on LDAP queries as this was really, really hindering my AD traffic. So looking at the packet captures from the server I saw the following:

Server sends a SYN After 3 seconds the server sends another SYN After 3 seconds the server sends another SYN After 3 seconds the server sends another SYN THEN gets a SYN, ACK Then traffic flows

So and so forth.

The same pattern shows up capturing from the SPAN port on the firewall's connection. However, it DOES NOT show up in the Fortigate's capture at all.

Here's the fix. In Server 2012, MS has set ECN to be enabled by default. The Fortigate is blackholing the TCP SYN packets flagged with ECN. Eventually, Windows gives up and stops trying to use ECN.

Disable it with:

Netsh interface tcp set global ecncapability=disabled

permanent link

answered 01 May '14, 19:19

tim5700's gravatar image

tim5700
2111
accept rate: 0%

tim5700,

can't appreciate your solution enough!

Thanks man

couldn't thumb up

(21 Oct '14, 01:21) if0else0
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×104
×42
×36

question asked: 22 Apr '14, 12:22

question was seen: 31,524 times

last updated: 21 Oct '14, 01:21

p​o​w​e​r​e​d by O​S​Q​A