This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cannot access login.live.com - “Reassembly error, protocol TCP: New fragment overlaps…"

0

Hi,

I have an issue with a client who has a server hosted with a third party provider. They have recently have their server moved (still within the same company) as they needed the server to be under their own account and not their old IT providers' account. Ever since the migration, the customer cannot access Hotmail. I have tried Gmail and AOL and a bunch of other HTTPS sites but for some reason I can only find an issue with them accessing Hotmail. What is happening is when they go to Hotmail, they are redirected to login.live.com (as you'd expect) but accessing the page is intermittent and so far I have not been able to log in successfully once. I have ran Wireshark and followed the TCP stream for this particular conversation but I am unsure what the output actually means. I see we get a packet that says [TCP Retransmission] and then after that the connection is reset.

alt text

Any help on this would be fantastic please.

asked 22 Jun '15, 10:22

jonathanbaird's gravatar image

jonathanbaird
6447
accept rate: 50%

edited 23 Jun '15, 12:03

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

Do I understand right, that you are connected to a totally wrong destination?

(22 Jun '15, 12:13) Christian_R

2 Answers:

0

Kurt,

Thanks for your response. It turns out that the server NIC had TCP offloading enabled which was causing the issues. Disabling this resolved the issue immediately. Very odd! Thanks for your help anyway.

Jonathan.

answered 24 Jun '15, 03:57

jonathanbaird's gravatar image

jonathanbaird
6447
accept rate: 50%

1

Your screenshot shows a HTTPS session to the IP 131.253.61.82, which is one of the IPs of login.live.com, so at least you are talking to the right server. However, the problem with your capture file is, that there is (most certainly) TCP segment offloading enabled on the server (frames > 1500 bytes), which makes it hard to do any TCP sequence analysis, especially based on a screenshot.

but accessing the page is intermittent and so far I have not been able to log in successfully once.

What do you mean by that? You enter the user credentials, and then page loading stalls, or do you get an error message?

If it's an error message: What's the message?

If that page stalls, my best guess would be that there is some kind of security software on that system (AV, Endpoint Security, etc.) that hooks itself into the data stream to scan internet downloads and something goes wrong. Please check that and disable any security software for another test with Hotmail.

Regards
Kurt

answered 22 Jun '15, 16:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Kurt,

Thanks for your reply. Yes indeed I do get to the correct server, the issue is that when I type ANY login details to log in I just get a "no response from server" in Chrome and similar messages in Firefox and IE. Sophos was installed on this PC but this has been completely uninstalled and there is no other AV running on here.

I'll check if there is any other security related software running and see if I can disable this. It is just very odd that it only happens with login.live.com.

P.S. Where did you see the destination IP!? I though I'd removed everything - purely for confidentiality that's all! :)

(23 Jun '15, 01:17) jonathanbaird

he got the ip from the hex view

(23 Jun '15, 01:29) Christian_R

Well, if it's not a security software on your system, it could be a security device (firewall) in the network. Did you check that as well?

(23 Jun '15, 11:05) Kurt Knochner ♦