Ports Reused / TCP Out of Order


I have an issue with two servers across a DMVPN. Backup software i failing. ICMP and traces all look good between them. No aysmetric routing. I ran a capture on the Core switch at one of the sites capturing traffic between the two hosts and I have attached screenshot. Anything obvious standing out as it looks like something is wrong, but not entirely sure what.

If you look at the conversation between ports 52309 (client port) and 50008 (server port), starting from 4th packet, every time the client sent a SYN (don't worry about ECN CWR flags), it got a SYNACK packet and then TCP RST packet. What's funny is that the TCP RST packet has a strange sequence number (4274946776 or 0xfece82d8).

  • It feels like something closer to the client side blocks either the SYNACK or ACK.
  • server side has something entity that sent TCP RST, with wrong sequence number.

If there is time information, that could be helpful.

Did you examine the "Port Reuse" fact?

(08 Nov '15, 10:14) Christian_R

Yes, saw the "Port reuse" message by Wireshark. Unclear whether it's a true "Port reuse" because don't the timing information and the absolute sequence number on TCP SYN packet.

(08 Nov '15, 16:18) pktUser1001

@pktUser1001: The Question was a little bit unclear. I originally meant @exit12. Apologize for that. But it is unclear to me, too. Because we can see a SYN/ACK. My expactation is to see only a SYN and a RST.

(08 Nov '15, 22:25) Christian_R

@christian_r That's fine. We are on the same page that the problem (pcap snapshot) could be a little clearer :-)

(09 Nov '15, 09:50) pktUser1001

After reviewing the picture. I think Port Reuse is there, but it happens only as a follow up. @exit12: Do you have an additional Layer4 device (Loadbalancer, Firewall,...) between the server and the capture point.

(09 Nov '15, 13:54) Christian_R