This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Dup Ack. TCP Retransmission

0

Clients on the network are complaining that a lot of the time, when they try to open a web page, their browser times out. Usually, if they hit refresh, the page will load. I've performed speed tests, ping tests, and DNS tests. They all come back good. I downloaded wireshark and ran a trace while trying access the Internet. I get a lot of TCP Dup ACK and TCP Retransmissions. The trace file can be found at http://pcc-tech.com/wireshark/file3.pcapng

Any ideas?

asked 11 Jun '15, 14:12

Tim%20Sanders's gravatar image

Tim Sanders
6113
accept rate: 0%

edited 11 Jun '15, 14:13

One Answer:

1

The trace shows a lot of SYN retransmissions that would show up as a connection timeout in the browser.
In the example below the SYN packets to 162.159.242.165 (ask.wireshark.org) don't get a reply whereas the subsequent SYN packets to 162.159.241.165 go through immediately.
22 seconds later also the SYN packets to 162.159.242.165 get through immediately. Assuming that both servers were available at the time, I suspect it is the router 192.168.0.254 that blocks the new connections intentionally . alt text

The duplicate acknowlegdements are due to out_of_order arrival or packet loss

answered 12 Jun '15, 01:30

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 12 Jun '15, 01:48

I've tried two different routers. Although I haven't run a trace using the second router, the users get the same symptoms.

(12 Jun '15, 04:07) Tim Sanders

Then you should be talking to your OfficeScan administrators and have them check the logs. If that doesn't show anything suspicious you will need to start tracing in the router to see if the SYN requests made it into the WAN.

(12 Jun '15, 05:39) mrEEde