topic TCP RESET-ACK message without RESET in Capture. in Network Security

TCP RESET-ACK message without RESET in Capture.

Amjad Hashim — Mon, 11 Mar 2019 23:31:42 GMT

Hello All,

I am having a problem with communication between two machines, i have put the packet capture and following is the output

61: 09:09:25.821628 802.1Q vlan#726 P0 192.168.249.69.731 > 192.168.249.21.2052: S 2228708690:2228708690(0) win 5840 <mss 1460,sackOK,timestamp 8266666 0,nop,wscale 6>

65: 09:09:25.823596 802.1Q vlan#726 P0 192.168.249.21.2052 > 192.168.249.69.731: S 1457523457:1457523457(0) ack 2228708691 win 5840 <mss 1380>

66: 09:09:25.823764 802.1Q vlan#726 P0 192.168.249.69.731 > 192.168.249.21.2052: . ack 1457523458 win 5840

67: 09:09:25.823794 802.1Q vlan#726 P0 192.168.249.69.731 > 192.168.249.21.2052: P 2228708691:2228708735(44) ack 1457523458 win 5840

68: 09:09:28.813388 802.1Q vlan#726 P0 192.168.249.69.731 > 192.168.249.21.2052: P 2228708691:2228708735(44) ack 1457523458 win 5840

69: 09:09:33.026732 802.1Q vlan#726 P0 192.168.249.21.2052 > 192.168.249.69.731: R 1457523458:1457523458(0) ack 2228708691 win 5840

The first three packets are three-way handshake and then 2 data packets but both are same packets and i think it is a repeated packet.

The last packet is TCP-Reset-Ack but i can't see TCP-Reset packet in capture, is it something to do with 2 repeated data packets or something else?

Thanks in advance for your help.

Regards,

Amjad Hashim.

TCP RESET-ACK message without RESET in Capture.

Ramraj Sivagnanam Sivajanam — Tue, 17 Jul 2012 15:38:54 GMT

Hi Bro

From the captures, it seems that 192.168.249.21 is sending the RESET? Who is 192.168.249.21? a client or the server?

TCP RESET-ACK message without RESET in Capture.

Amjad Hashim — Tue, 17 Jul 2012 16:35:13 GMT

Hi Ramraj,

Thanks for reply, .69 is a server and .21 is backup appliance. If u read carefully you will find that it is Reset ACK packet rather than Reset.

The problem is i could not see the reset packet at all and Reset ACK comes in, don't know what is going on.

I am struggling with it for a while and need to resolve it as soon as possible.

Regards,

Re: TCP RESET-ACK message without RESET in Capture.

Ramraj Sivagnanam Sivajanam — Wed, 18 Jul 2012 03:38:53 GMT

Hi Bro

This is my understanding with regards to your above packet capture.

61: 192.168.249.69 sends SYN to 192.168.249.21

65: 192.168.249.21 sends SYN ACK to 192.168.249.69

66: 192.168.249.69 sends ACK to 192.168.249.21

67: 192.168.249.69 sends a PUSH to 192.168.249.21 (data/payload transfer)

68: 192.168.249.69 sends a PUSH to 192.168.249.21 (DUPLICATE PACKET BECAUSE 67 AND 68 IS THE SAME THING, same packet size!!)

69: 192.168.249.21 sends a RESET to 192.168.249.69

Note:

65: TCP Sequence Number = 1457523457

66: TCP Sequence Number = 1457523458

67: TCP Sequence Number = 1457523458

68: TCP Sequence Number = 1457523458

69: TCP Sequence Number = 1457523458

The question here should be why is your backup appliance sending a RESET to the server? I guess you'll need to check with the backup appliance vendor/principal on this. Just out of curiousity, if your backup appliance and the server were in the same network address, no Cisco ASA FW in between, will this work fine?

Re: TCP RESET-ACK message without RESET in Capture.

Amjad Hashim — Wed, 18 Jul 2012 09:57:34 GMT

Hello Bro,

You are abosolutely right about duplicate packet, see the packet 69 below

69: 09:09:33.026732 802.1Q vlan#726 P0 192.168.249.21.2052 > 192.168.249.69.731: R 1457523458:1457523458(0) ack 2228708691 win 5840

It is reset-acknowledgement that .21 is sending, i was in touch with vendor and they said the same thing. I hope this will help understand the problem.