We are experiencing an issue when uploading a file to a sFTP server. Most of the time the upload is a success, however occasionally it fails. Running Wireshark we discovered we are sending a SYN frame and receiving a RST,ACK seemingly from destination (but I have doubts about that). Looking at the failed trace I see where we try and establish connection multiple times before giving up. One thing I note as odd is the response time between frames, they're approximately 0.000733 seconds on the failed connection. For the successful connection the response times are approximately 0.031923 seconds. I've included a screenshot of both the failure and success.
[ Source Server ] ---- [ Web Filter (only port 80) ] ---- [ ASA w/ IPS Module ] ---- [ Link Balancer ] ---- [ Internet ] ---- [ Destination]
asked 30 Jul '15, 05:19
Hi I can´t remember that I have seen a packet like Frame #7, (SYN,ECN,CWR) and maybe your FW/IPS eitehr not. So if I were you, I would take a trace at the last point of my network, so that I can see if the packet left my network correctly.
Ok at least I found that the Syn in frame 7 is correct see here: https://tools.ietf.org/html/rfc3168
Also it can be seen that Frame 7 starts with rfc3168 feature than goes back to to rfc1323 and ends in the old tcp syn request. This is like an normal behaviour. So I guess that the most probable cause for the failure is in or next to your FW or IPS (Maybe it is a bug of this device)
See similar question here: https://ask.wireshark.org/questions/29758/syn-with-ecn-flag-set-on-certain-port-number
answered 30 Jul '15, 11:52
edited 31 Jul '15, 01:22