This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Reason for RESET

0

Hi,

Could i know the reason for Reset below ?

my ip = 192.168.5.107 client ip = 10.12.229.56

I already inform client that the root cause for reset from their site but client inform that my device ( radware load balancer ) Reset the connection....... Below is the screenshot...

alt text

Client inform they the reset from our side as screenshot below shows ( highlight yellow ), yes we have radware device... Is the client finding is correct ? At that time we only capture at my side ( 192.168.5.107 )

alt text

asked 28 Jun '16, 23:49

suarez123's gravatar image

suarez123
19911
accept rate: 0%

edited 29 Jun '16, 03:53

sindy's gravatar image

sindy
6.0k4851

One Answer:

0

If a capture at your side indicates that you have received the RST, and the capture on the client side also indicates that they have received the RST, I would expect some policing equipment in between the two to reset the TCP session in both directions. So you should take two captures simultaneously (to be absolutely sure that you'd be analysing the same session) at client side and at your side, and if these captures confirm that both ends receive the RST, you would have to track down the device between them which kills the session.

answered 29 Jun '16, 00:48

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

I have moved the text and picture from your comment to the Question to save the page format.

Is the capture from which you've quoted the two screenshots taken between the client and the Radware load balancer or between the Radware load balancer and the server? If between Radware and server, can you capture simultaneously at both sides of the Radware, before bothering the client? The result will then tell you whether to concentrate on the Radware (if it sends RST to both ends of the TCP session) or whether to capture simultaneously at the client and at the client-facing side of the Radware to find out whether something between the client workstation and the Radware (e.g., the client's firewall) is sending RST bi-directionally.

(29 Jun '16, 04:03) sindy

hi, i capture form my server 192.168.5.107 need to capture at both side to know the root cause ?

(29 Jun '16, 21:53) suarez123

Ηι,

     client --- firewall --- internet --- radware --- server  
1.                                     ^           ^  
2a.          ^                         ^  
2b.          ^                                     ^  
3.           ^            ^

If you mean at both sides of Radware (client-facing and server-facing), then yes, start from simultaneous capture at points as per 1. above.

If simultaneous capture at points as per 1. shows that the RST comes from client side, you have to capture at points as per 2a or 2b, whatever is easier.

If simultaneous capture as per 2a or 2b confirms that the client does not send the RST but receives it, the customer will have to simultaneously capture at points as per 3.

The ultimate goal is to identify the box between the client and server which sends the RST to both ends.

(29 Jun '16, 22:07) sindy