wireshark shows tcp retransmission & dup ack packet on wccp traffic, does it look correct?

TCAM · ‎08-29-2015

Hi -

Did a packet capture on WAAS running L2 WCCP with switch, saw many tcp retransmission & dup ack packets, first i thought something is not right but then i looked back again, this may be corrected. Since WAAS is intercepting network traffic then sending it back out on the same interface. From wireshark perspective, the same traffic is travelling in and out of same interface 2 times, so wireshark thinks and marks this traffic as "retransmission & dup" packet. Does it make sense? or i am missing something. Can someone shed some light please?

Thanks

finn.poulsen · ‎08-31-2015

Hi Joe,

This is completely as expected, you'll see the (same) traffic entering and leaving the WAAS box.

However for optimized traffic, you should see different TCP sequence numbers on the packets leaving the WAAS box, that in the other direction. Of course you should also see e.g. different packet sizes etc. due to DRE or LZ kicking in, for optimized packets.

Best regards

Finn

TCAM · ‎08-31-2015

Thanks Finn!

I think the TCP sequence number should be the "same" that is how wireshark know it is a "retransmission" packet. but, for optimized traffic we should see different packet size due to TFO,DRE,LZ kick in.

Thanks

finn.poulsen · ‎08-31-2015

Hi Joe,

The TCP sequence numbers are only the same for unoptimized traffic (i.e. PassThrough).

This is one of the mechanisms, that the remote WAAS detects whether the other end has disappeared and the TCP session gets re-established.

Finn

TCAM · ‎09-01-2015

Hi Finn -

Thanks so much for taking time to answer my questions, I appreciated.

However, that is not what i saw on wireshark. The "original" and "retransmission" optimized packet have the "same" tcp sequence number.

I am going to create a Cisco TAC ticket, will report back in here.

Thanks