This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

File transfer over the Internet - TCP RST packet

0

Hi everyone, Having this issue with file transfer and thought you might help on this issue. There is a software installed on client and server used for backups of data files everyday over the Internet. This software on client side first reads the folders (fetch files) before it starts to transfer the files to the server on the other side. The issue is that if I select the MAIN folder for back up (hundreds of GB in size), it starts reading/fetching the files but when this completes, the transfer doesn't even start however if I select any sub-folder (e.g. 45 GB) inside the MAIN folder, the transfer completes fine.

This setup over the Internet used to work a month ago, and if tested on LAN it works fine. I've captured the traffic on both sides and I'm attaching the pics for the relevant part. I've checked the TTL on RST packets but it was 120 which tells it is routed packet.

Below are the TCP streams from c2s and s2c.

Note: there is a firewall in between, but I don't think it's the issue since transfer is working fine for smaller file size.

alt text

alt text

asked 18 Sep '17, 04:05

ws101's gravatar image

ws101
11112
accept rate: 0%

One Answer:

1

The c2s shows retransmits for a 1514 bytes packet (TCP Length=1460) for 192.168.0.250 -> 84.22.37.252. Therefore I guess it is a MTU issue.

Things to check:

  • Is ICMP need frag blocked on the path?
  • Can you change the MTU of 192.168.0.250?
  • Where on the path is the "big" packet blocked?

answered 18 Sep '17, 07:39

Uli's gravatar image

Uli
9031515
accept rate: 29%

If MTU was an issue, wouldn't the MSS be < than 1460 in the SYN/ACK packet on negotiation?

(19 Sep '17, 06:24) ws101

Not necessarily. You've said that you have "backups of data files over the Internet". MSS in he SYN/ACK packet is defined by endpoints, and they are not aware of MTUs throughout all Internet data path. Initially endpoint is aware only of it's own connected interface MTU.

(19 Sep '17, 07:56) Packet_vlad

It's strange how transfer works fine for tens of GB and not for hundreds of GB?!

(19 Sep '17, 13:33) ws101

Could be possible that with the "small" transfer there are no packets with 1500 Bytes packets. Or the path is different.

To work around this issue you can try to reduce the MSS on 84.22.37.252.

(20 Sep '17, 03:00) Uli

Bypassed the FW and it worked!!

(25 Sep '17, 01:14) ws101
1

"Bypassing the FW" doesn't sound like a good (=secure) solution ;-)

(25 Sep '17, 07:00) Jasper ♦♦

It's a test to isolate the issue.

(25 Sep '17, 07:14) ws101

Alright, that's what I hoped to hear.

(25 Sep '17, 13:58) Jasper ♦♦
showing 5 of 8 show 3 more comments