Re: [nsp] TCP connections randomly reset

From: Blaz Zupan (blaz@gold.amis.net)
Date: Mon Aug 06 2001 - 09:18:05 EDT

I'm still fighting with the strange problem where incoming TCP connections on
a link are being randomly reset. I've turned on IP packet debugging and
compared the output between an unsuccessful and successful connection. The
difference is in the third packet, the ACK RST. While on a successful
connection the ACK RST packet comes in with an ack=0, on a unsuccessful
connection the packet comes in with an ack number that is the same as the one
used on the following packets, thus the session is reset. I don't know enough
about TCP/IP to guess why this is happening or what could be causing it. Could
it be a DOS attack?

Successful session:

05:12:17: IP: s=192.168.1.1 (Serial3/0), d=192.168.2.1 (FastEthernet0/0.5), g=192.168.2.1, len 44, forward
05:12:17: TCP src=52227, dst=110, seq=2659395474, ack=0, win=4128 SYN
05:12:17: IP: s=192.168.2.1 (FastEthernet0/0.5), d=192.168.1.1 (Serial3/0), g=192.168.1.1, len 44, forward
05:12:17: TCP src=110, dst=52227, seq=324288000, ack=2659395475, win=61440 ACK SYN
05:12:17: IP: s=192.168.1.1 (Serial3/0), d=192.168.2.1 (FastEthernet0/0.5), g=192.168.2.1, len 40, forward
05:12:17: TCP src=52227, dst=110, seq=2659395475, ack=0, win=0 ACK RST
05:12:17: IP: s=192.168.1.1 (Serial3/0), d=192.168.2.1 (FastEthernet0/0.5), g=192.168.2.1, len 40, forward
05:12:17: TCP src=52227, dst=110, seq=2659395475, ack=324288001, win=4128 ACK
05:12:17: IP: s=192.168.1.1 (Serial3/0), d=192.168.2.1 (FastEthernet0/0.5), g=192.168.2.1, len 40, forward
05:12:17: TCP src=52227, dst=110, seq=2659395475, ack=324288001, win=4128 ACK
05:12:17: IP: s=192.168.2.1 (FastEthernet0/0.5), d=192.168.1.1 (Serial3/0), g=192.168.1.1, len 84, forward
05:12:17: TCP src=110, dst=52227, seq=324288001, ack=2659395475, win=61440 ACK PSH
05:12:17: IP: s=192.168.1.1 (Serial3/0), d=192.168.2.1 (FastEthernet0/0.5), g=192.168.2.1, len 40, forward
05:12:17: TCP src=52227, dst=110, seq=2659395475, ack=324288045, win=4084 ACK

Failed session:

05:11:42: IP: s=192.168.1.1 (Serial3/0), d=192.168.2.1 (FastEthernet0/0.5), g=192.168.2.1, len 44, forward
05:11:42: TCP src=47107, dst=110, seq=2689262359, ack=0, win=4128 SYN
05:11:42: IP: s=192.168.2.1 (FastEthernet0/0.5), d=192.168.1.1 (Serial3/0), g=192.168.1.1, len 44, forward
05:11:42: TCP src=110, dst=47107, seq=319680000, ack=2689262360, win=61440 ACK SYN
05:11:42: IP: s=192.168.1.1 (Serial3/0), d=192.168.2.1 (FastEthernet0/0.5), g=192.168.2.1, len 40, forward
05:11:42: TCP src=47107, dst=110, seq=2689262360, ack=319680001, win=0 ACK RST
05:11:42: IP: s=192.168.1.1 (Serial3/0), d=192.168.2.1 (FastEthernet0/0.5), g=192.168.2.1, len 40, forward
05:11:42: TCP src=47107, dst=110, seq=2689262360, ack=319680001, win=4128 ACK
05:11:42: IP: s=192.168.1.1 (Serial3/0), d=192.168.2.1 (FastEthernet0/0.5), g=192.168.2.1, len 40, forward
05:11:42: TCP src=47107, dst=110, seq=2689262360, ack=319680001, win=4128 ACK
05:11:42: IP: s=192.168.2.1 (FastEthernet0/0.5), d=192.168.1.1 (Serial3/0), g=192.168.1.1, len 40, forward
05:11:42: TCP src=110, dst=47107, seq=319680001, ack=0, win=61440 RST
05:11:42: IP: s=192.168.2.1 (FastEthernet0/0.5), d=192.168.1.1 (Serial3/0), g=192.168.1.1, len 40, forward
05:11:42: TCP src=110, dst=47107, seq=319680001, ack=0, win=61440 RST

Blaz Zupan, Medinet d.o.o, Trzaska 85, SI-2000 Maribor, Slovenia
E-mail: blaz@amis.net, Tel: +386-2-320-6320, Fax: +386-2-320-6325

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:48 EDT