I have an issue where I have VMware hosts that are connected to 2 switches (not connected to each other at this point) that are connected to a Fortigate firewall w/ a software switch. The software switch has VLAN interfaces that serve as the default gateway for the associated networks.
For traffic between the networks I am seeing many, many TCP errors of out-of-order, dup ack and retransmissions.
VM1 sends an LDAP syn to VM2. I immediately get three out-of-order errors, then a syn, ack from VM2 to VM1, followed by three more out-of-order errors. This also occurs with the errors being retransmissions and dup acks.
asked 22 Apr '14, 12:22
Sounds like you are capturing the frames twice, which confuses Wireshark. Please add more details about your setup and where you actually captured the frames.
BTW: What kind of 'software switch' are you using? Is this a VMware vSwitch or something different?
answered 23 Apr '14, 12:02
Kurt Knochner ♦
This is resolved.
In my packet captures I was really focused in on LDAP queries as this was really, really hindering my AD traffic. So looking at the packet captures from the server I saw the following:
Server sends a SYN After 3 seconds the server sends another SYN After 3 seconds the server sends another SYN After 3 seconds the server sends another SYN THEN gets a SYN, ACK Then traffic flows
So and so forth.
The same pattern shows up capturing from the SPAN port on the firewall's connection. However, it DOES NOT show up in the Fortigate's capture at all.
Here's the fix. In Server 2012, MS has set ECN to be enabled by default. The Fortigate is blackholing the TCP SYN packets flagged with ECN. Eventually, Windows gives up and stops trying to use ECN.
Disable it with:
Netsh interface tcp set global ecncapability=disabled
answered 01 May '14, 19:19