cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1028
Views
0
Helpful
4
Replies

Session starts with two SYN packets

Vishal.Seetal
Level 1
Level 1

Hi all,

I am having trouble with my Cisco SG300 switch big time. I have two servers with IP addresses 10.17.0.11 and 10.17.0.29 sitting on the same switch which is a Cisco SG300. I initiate a file transfer from 10.17.0.11 to 10.17.0.29. I could see lots of Dup Acks and retransmissions which means something is wrong in the connection. Further, I could see the session initiation a bit bizarre. I could see two SYN packets sent from 10.17.0.11 to 10.17.0.29 and also two SYN ACK packets returned by 10.17.0.29. The switch forms part of a network but since both the servers are sitting on the same switch I suppose the rest of the network doesn't come into play when one server talks to the other.

Please see the screenshot below:

Capture.PNG

See also the number of Dup Acks and retransmissions. The two switch ports connecting the servers have speed and duplex set to auto negotiate, flow control is enabled. What could cause this sort of problem?Could it be any setting on the switch or the servers' NICs?Or could it be a bad switch that causes this?

Any help would be greatly appreciated. If anyone has ever come across this sort of problem, please help.

Thank you.

Regards,

Vishal

1 Accepted Solution

Accepted Solutions

Edwin Summers
Level 3
Level 3

Are you sniffing off a SPAN port? If so, how do you have this configured? It almost appears a if you're sniffing both directions on both ports, so your sniffing software thinks everything is duplicated when it is receiving the same packet twice. Possible?

Are you  having any problems with the transfer (throughput, errors)? If you follow the trace, does the window size grow as expected?

View solution in original post

4 Replies 4

Edwin Summers
Level 3
Level 3

Are you sniffing off a SPAN port? If so, how do you have this configured? It almost appears a if you're sniffing both directions on both ports, so your sniffing software thinks everything is duplicated when it is receiving the same packet twice. Possible?

Are you  having any problems with the transfer (throughput, errors)? If you follow the trace, does the window size grow as expected?

Hi Edwin,

Thank you for replying. Yes, I have enabled port mirroring on one of the switch's port and I am capturing packets from both the ports the two servers are connected to which I realise now is causing the double SYNs. Thank you so much for that.

So the retransmissions also could also be an interpretation of Wireshark as when it sees the same packet on both the ports monitored, it thinks it is a retransmission. The time difference between a sent packet and its retransmission is about 2 microseconds..Same for Dup Acks..

Aha!wow..How stupid is that!!!

I need to learn more about using Wireshark.

Thanks a lot for that Edwin..

I am going back to work and do a capture again and see the difference..

Thanks a lot.

Regards,

Vishal

No problem! Hopefully that is all that is going on... Easy to rule it out, and if you still see the issue we can explore further. It is an interesting happening that I have not seen before but makes sense. Good luck! -Ed

Thank you Edwin,

I'm going back to work and do some more captures on one port only and see how it goes.

Kind regards,

Vishal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: