I have a device on my network trying to connect to a remote server but is failing to do so. I have taken the device off-site and it will connect, so I believe I have an issue with my firewall but can't pin point my issue. I am seeing a lot of TCP Retransmissions and TCP Dup Acks in my capture. https://www.dropbox.com/s/srv5tlg1jy93bbz/egress.pcap?dl=0
This device connected properly before but now is unable to. Any help would be appreciated.
asked 26 Jan '15, 13:50
In your capture file the content of the TCP session is not SSL, what kind of protocol is it? Do you have a NextGen firewall that does protocol inspection? Then most likely it is blocking the packets from your device as it is not SSL.
You will need to add a new outgoing rule for your device where you disable protocol inspection or better yet, make it inspect the traffic as the protocol that it is using.
answered 26 Jan '15, 15:36
It looks like 126.96.36.199 is the client (on your network/?/) and 188.8.131.52 is the off-site server.
Assuming that is the case, it looks like this capture may have been taken from some intermediary device, since the TTL for packets from 184.108.40.206 is 62.
First thing to note, is that it looks like the incoming packets from 220.127.116.11 are not being passed to the actual client.
Note the pattern that begins with frame#4
frame#4 18.104.22.168 >> 22.214.171.124 Seq=1106885107 Ack=496659091 Len=16
frame#5 126.96.36.199 >> 188.8.131.52 Seq=496659091 Ack=1106885123 Len=0 (ACK for segment in frame #4)
frame #6 184.108.40.206 >> 220.127.116.11 Seq=496659091 Ack=1106885123 Len=28 (expecting ACK# 496659119)
frame #7-10 [Server Retransmission of frame #6]
frame #11 18.104.22.168 >> 22.214.171.124
frame #12 126.96.36.199 >> 188.8.131.52
frame #13 184.108.40.206 >> 220.127.116.11 Seq=1106885123 Ack=496659091 Len=16 (Retransmission of frame #11 ~230ms later (looks like an RTO)) This suggests, again, that server segments are not being forwarded to the client.
frame #14 18.104.22.168 >> 22.214.171.124 Seq=496659119 Ack=1106885139 Len=0 (ACK for frame #11 with SACK options) SLE=1106885123 SRE=1106885139 (Suggests that server never saw frame #4 (missing segment )
frame #15 126.96.36.199 >> 188.8.131.52 Seq=1106885123 Ack=496659091 Len=16 (Retransmission of frame #11 - Already ACK'd twice by the server (looks like another RTO)
It appears that RTO driven retransmissions of this frame continue in frames 18, 20, 23, 26, and 29. Each time, the server continues to ACK the segment, with the later segments also including SACK options to indicate that the server never saw frame #4.
At first glance, it appears that a device is not forwarding the traffic from the server to the client.
(didn't have time to dig out the details of why the RST is occurring, exaclty, but I hope this helps)
answered 26 Jan '15, 16:22