Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

TCP RESET-ACK message without RESET in Capture.

Hello All,

I am having a problem with communication between two machines, i have put the packet capture and following is the output

61: 09:09:25.821628 802.1Q vlan#726 P0 192.168.249.69.731 > 192.168.249.21.2052: S 2228708690:2228708690(0) win 5840 <mss 1460,sackOK,timestamp 8266666 0,nop,wscale 6>

65: 09:09:25.823596 802.1Q vlan#726 P0 192.168.249.21.2052 > 192.168.249.69.731: S 1457523457:1457523457(0) ack 2228708691 win 5840 <mss 1380>

66: 09:09:25.823764 802.1Q vlan#726 P0 192.168.249.69.731 > 192.168.249.21.2052: . ack 1457523458 win 5840

67: 09:09:25.823794 802.1Q vlan#726 P0 192.168.249.69.731 > 192.168.249.21.2052: P 2228708691:2228708735(44) ack 1457523458 win 5840

68: 09:09:28.813388 802.1Q vlan#726 P0 192.168.249.69.731 > 192.168.249.21.2052: P 2228708691:2228708735(44) ack 1457523458 win 5840

69: 09:09:33.026732 802.1Q vlan#726 P0 192.168.249.21.2052 > 192.168.249.69.731: R 1457523458:1457523458(0) ack 2228708691 win 5840

                  

The first three packets are three-way handshake and then 2 data packets but both are same packets and i think it is a repeated packet.

The last packet is TCP-Reset-Ack but i can't see TCP-Reset packet in capture, is it something to do with 2 repeated data packets or something else?

Thanks in advance for your help.

Regards,

Amjad Hashim.

Everyone's tags (4)
4 REPLIES

TCP RESET-ACK message without RESET in Capture.

Hi Bro

From the captures, it seems that 192.168.249.21 is sending the RESET? Who is 192.168.249.21? a client or the server?

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Community Member

TCP RESET-ACK message without RESET in Capture.

Hi Ramraj,

Thanks for reply, .69 is a server and .21 is backup appliance. If u read carefully you will find that it is Reset ACK packet rather than Reset.

The problem is i could not see the reset packet at all and Reset ACK comes in, don't know what is going on.

I am struggling with it for a while and need to resolve it as soon as possible.

Regards,

Re: TCP RESET-ACK message without RESET in Capture.

Hi Bro

This is my understanding with regards to your above packet capture.

61: 192.168.249.69 sends SYN to 192.168.249.21

65: 192.168.249.21 sends SYN ACK to 192.168.249.69

66: 192.168.249.69 sends ACK to 192.168.249.21

67: 192.168.249.69 sends a PUSH to 192.168.249.21 (data/payload transfer)

68: 192.168.249.69 sends a PUSH to 192.168.249.21 (DUPLICATE PACKET BECAUSE 67 AND 68 IS THE SAME THING, same packet size!!)

69: 192.168.249.21 sends a RESET to 192.168.249.69

Note:

65: TCP Sequence Number = 1457523457

66: TCP Sequence Number = 1457523458

67: TCP Sequence Number = 1457523458

68: TCP Sequence Number = 1457523458

69: TCP Sequence Number = 1457523458

The question here should be why is your backup appliance sending a RESET to the server? I guess you'll need to check with the backup appliance vendor/principal on this. Just out of curiousity, if your backup appliance and the server were in the same network address, no Cisco ASA FW in between, will this work fine?

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
Community Member

Re: TCP RESET-ACK message without RESET in Capture.

Hello Bro,

You are abosolutely right about duplicate packet, see the packet 69 below

69: 09:09:33.026732 802.1Q vlan#726 P0 192.168.249.21.2052 > 192.168.249.69.731: R 1457523458:1457523458(0) ack 2228708691 win 5840

It is reset-acknowledgement that .21 is sending, i was in touch with vendor and they said the same thing. I hope this will help understand the problem.

2938
Views
0
Helpful
4
Replies
CreatePlease to create content