This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am working on a problem, wherein a web application is not working over VPN for some windows 7 users. For others it just works fine. After going through the trace, one thing that looks suspicious is client closing the connection with RST/ACK when server is trying to push some more data. In a working capture this never happens. Can anyone shed some light why this might be happening. Here is the trace file. https://www.cloudshark.org/captures/a093320deab9

Kind Regards.

asked 19 Jun '17, 21:08

Ravneet's gravatar image

Ravneet
6334
accept rate: 0%

The client side first attempts to finish the connection peacefully using FIN, indicating that it itself has nothing more to say, but then it sends a RST instead of ACKing the additional data from the server which it should normally keep accepting until the server would send its own FIN.

So can we be sure that it is really the client machine itself who sends this RST packet? Is the capture taken at the server side or at the client side? Is it at all possible for you to capture at the client machine or does the VPN interface not support capturing? I'd suspect some broken security software mid-path to send the RST in the name of the client. E.g., are the VPN client versions on the "working" and "not working" machines the same?

(20 Jun '17, 11:35) sindy

Thank you for looking into this. The capture has been take on the client side. Infact its taken on the VPN interface itself. The VPN client version on all the working and non working machines is the same. The difference in non working and working capture is that the clients keeps on accepting data from the server while in the non working case it just finishes the connection.

(20 Jun '17, 12:06) Ravneet

Leaving the client side application itself off the question, in that case I can only think about - different Windows 7 update levels and a bug in the TCP handling in some of them, - some additional security software (firewall, antivirus) which exists at the "bad" machines and doesn't at the "good" ones.

In general, Wireshark shows you exactly what has happened but rarely why.

(20 Jun '17, 12:15) sindy

Yes that is what I am focussing (windows update, fw, av) on now. Thank you for your help.

(20 Jun '17, 12:30) Ravneet
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×139
×122
×81
×32
×7

question asked: 19 Jun '17, 21:08

question was seen: 2,157 times

last updated: 20 Jun '17, 12:30

p​o​w​e​r​e​d by O​S​Q​A