This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Dup ACK and TCP Retransmission / RDP lags

0

Hello,

we have a strange behavior with a RDP setup and i hope somebody can help me :-) Situation:

A bunch of xp clients connects through a 50mbit/10mbit IPSEC VPN site2site (Sophos UTM both sides) to a remote site windows RDS 2012R2 server (uplink with 300mbitup/down) through RDP running in a Vmware 5.5 vsphere.

All users reports random lags (keyboard keytrokes buffered,...) at same time. We double checked all network devices, setup a new switch, the problem is still there. Today i collected two pcaps (one on a xp client and one serverside) to see what is happening there....

The client IP is 10.91.124.124 and the server ip is 10.191.124.202.

The user reports me some timeframes where lags happens this morning: 10:32 / 10:58 / 11:11 / 12:02 / 12:46 all around 2-4 seconds. I still tried to analyse the pcap, around this timeframes it reports always some TCP Dup ACK and TCP Retransmission. Is this the problem we have? It would be great if some pros could anylyze my situation an maybe give me some advice. The onedrive links to the pcaps are found here: Client and Server.

THANK YOU ALL!!! Cheers Marius

asked 04 Nov '15, 06:04

mabornma's gravatar image

mabornma
6112
accept rate: 0%

edited 04 Nov '15, 06:54

Jasper's gravatar image

Jasper ♦♦
23.8k551284

What kind of apps they are using at the server? Do they browse in the internet? Do they playback some kind of videos?

(04 Nov '15, 06:47) Christian_R

Yes and yes, no limitations. Some Office and a heavy load tax accountant app.

(04 Nov '15, 07:03) mabornma

Is the problem a new one, more like an incident. Or is it more a long term problem?

(04 Nov '15, 07:19) Christian_R

Its a Long term problem.

(04 Nov '15, 07:24) mabornma

Ok, I have thought so.

(04 Nov '15, 07:36) Christian_R

At 10:32 I can see packet loss at the client side. And only a handfull Retransmissions at the server side.

So something (hidden) causes the packet loss. Maybe you have to take an unfiltered capture (with care) at the server side. Maybe he sends more data out then we can see, due to filtering.

If more than this one client is affected, you could try turn off the flash things in the browser. ( But it all is just guessing)

If I were you I would search the point of packet loss by moving the capture point.

(04 Nov '15, 15:22) Christian_R
showing 5 of 6 show 1 more comments