This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ports Reused / TCP Out of Order

0

Hi All,

I have an issue with two servers across a DMVPN. Backup software i failing. ICMP and traces all look good between them. No aysmetric routing. I ran a capture on the Core switch at one of the sites capturing traffic between the two hosts and I have attached screenshot. Anything obvious standing out as it looks like something is wrong, but not entirely sure what.

Many Thanksalt text

asked 30 Oct '15, 03:25

exit12's gravatar image

exit12
11557
accept rate: 0%


One Answer:

0

If you look at the conversation between ports 52309 (client port) and 50008 (server port), starting from 4th packet, every time the client sent a SYN (don't worry about ECN CWR flags), it got a SYNACK packet and then TCP RST packet. What's funny is that the TCP RST packet has a strange sequence number (4274946776 or 0xfece82d8).

  • It feels like something closer to the client side blocks either the SYNACK or ACK.
  • server side has something entity that sent TCP RST, with wrong sequence number.

If there is time information, that could be helpful.

answered 08 Nov '15, 06:54

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%

Did you examine the "Port Reuse" fact?

(08 Nov '15, 10:14) Christian_R

Yes, saw the "Port reuse" message by Wireshark. Unclear whether it's a true "Port reuse" because don't the timing information and the absolute sequence number on TCP SYN packet.

(08 Nov '15, 16:18) pktUser1001

@pktUser1001: The Question was a little bit unclear. I originally meant @exit12. Apologize for that. But it is unclear to me, too. Because we can see a SYN/ACK. My expactation is to see only a SYN and a RST.

(08 Nov '15, 22:25) Christian_R

@christian_r That's fine. We are on the same page that the problem (pcap snapshot) could be a little clearer :-)

(09 Nov '15, 09:50) pktUser1001

After reviewing the picture. I think Port Reuse is there, but it happens only as a follow up. @exit12: Do you have an additional Layer4 device (Loadbalancer, Firewall,...) between the server and the capture point.

(09 Nov '15, 13:54) Christian_R