This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm a little lost, as I'm not sure what exactly is the issue. Wireshark Snippet <-- Here is a snippet of some of the data I got from my wireshark capture. This capture was from the windows server cluster to a laptop outside our network connected through our VPN. No matter the user (admin privileged or not), or the location, they cannot access these drives remotely. Any ideas? The firewall isn't detecting anything being blocked when I search through the logs.

asked 12 Sep '14, 11:30

TheCarefulOne's gravatar image

TheCarefulOne
11112
accept rate: 0%

After the three way handshake the next packet is usually an SMB Negotiate Protocol message from the pc to the server. Probably the best thing to do is collect matching traces from the pc and the server. Wireshark may not be able to capture traffic along the vpn. If this is the case you can use Microsoft Network Monitor.

Best regards...Paul

(14 Sep '14, 01:27) PaulOfford

As Paul indicated, the next thing to occur would be some data packets from the client.
As they don't show up at the server they were either not sent or dropped in the network.
Assuming that the client sent the SMB message (which is yet to prove) I think the packet was dropped in the network.
If this only happens over VPN it is probably a MTU-size, Fragmentation, PMTUD problem.

The inbound SYN shows that the MSS has been reduced to 1360 bytes indicating that the MTU size within the VPN is 1400 bytes and the VPN router adjusted the MSS in the passing SYN packet.
The outbound offering is still at 1460 as the trace was taken at the server.
If the MSS does not get tcp adjust-mss'ed on the reverse path you might end up in hung connections for the first full MSS packet that hits the VPN entry point.

You might want to reduce your server's interface MTU size to 1400 to see if this gets you around this problem.
Regards Matthias

permanent link

answered 16 Sep '14, 07:15

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Thanks, for the suggestion. MTU size was 1500, 1400 worked when I tested with sending packets of that size. The SMB Packets are indeed getting dropped as well.

When I do dcdiags and repadmin /binds. I get RPC errors, so I think it could be related to that as well. However, all the services seem to be running correctly.

(16 Sep '14, 11:50) TheCarefulOne
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×146
×45
×17

question asked: 12 Sep '14, 11:30

question was seen: 1,724 times

last updated: 16 Sep '14, 11:50

p​o​w​e​r​e​d by O​S​Q​A