TCP out of order / TCP Retransmission / TCP Previous segment lost

Unanswered Question
Mar 18th, 2010
User Badges:

I have a strange issue, am connected to the internet and can access any websites except few (does not give page can not be displayed and it does not give anything its just waiting all the time for respond), am sure its not the website problem as i could open the same website from a different location.

so i decided to capture the packet and look whats wrong while accessing those few websites and what i could see is a sucessfull TCP handshake followed by my http request and the problem starts, TCO out of order and TCP retransmission and TCP previous segment lost..

anyone aware of this kind of problem...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 03/18/2010 - 12:50
User Badges:
  • Green, 3000 points or more


Are you able to do a test, for example allowing everybody out the Firewall with a different IP from the same range?  Or you can do it for an specific computer also, to see if the behavior persists?

Also, is the ASA connected to a switch on its outside interface? Can you connect a computer to that switch and assign it a public IP from the same range of the ASA and see if the same problem happens?

I just want to see if the problem is IP-related or ASA-related.


mages_mark Thu, 03/18/2010 - 13:57
User Badges:

Federico - did you ever solve your issue?  I saw a couple threads that you started similar to my issue.... and this one.

My scenario....

Windows machine, connecting to an HTTPS site with either Firefox or IE.  Page is rendered with no problems, but downloads from the site fail at ~0-300Kb.

Download is successful when connected directly to the edge router, bypassing the ASA

Download is successful from other ISP's.

And the weird part - Download is successful on a Max OSX computer running Firefox - behind the asa..

It seems to be a combination of the ASA and Windows.

Wireshark of the two downloads is remarkably similar - both have TCP out of order, Dup Ack... the only real difference is the failed download has a couple WindowFull/ZeroWindow/WindowUpdate combinations.

Federico Coto F... Thu, 03/18/2010 - 14:05
User Badges:
  • Green, 3000 points or more

In my case the problem was IP-related.

We connected a computer to the outside switch with an IP of the same range of the ASA, and we continue to have the same problems (bypassing the ASA).

We found out that the public range was being blocked by several entities on the Internet.

Your issue seems different...

If the MAC download works behind the ASA, I don't see any reason why the ASA would be causing the problem.

Is this problem with a particular HTTPS site only?

Can you post the captures?


mages_mark Thu, 03/18/2010 - 14:18
User Badges:

Just one site.  I have a ticket in with them as well.

I don't understand either - it seems to be some combination of the PC + ASA that is glitching.  PC connected in front of the firewall works fine...


This Discussion