Can't see why telnet-stye software fails to connect from logs

Izzard · 10-23-2003, 04:25 AM

Hello all.

We have a Redhat 7.3 machine running an odd OS extension called RealNG from IMS (essentially a multi-user DOS emulation layer). It allows access using its own terminal program for Windows called NGTerm. As far as we know, all it needs is port 160 to be open on the server.

When we test on a local machine, it works just fine and we get a DOS session, as expected. However, when trying to connect from a branch office (with port 160 open through the firewall), there seems to be a little handshaking and then they stop talking. Here's a tcpdump on the failing system:

Code:

[root@localhost root]# tcpdump host 129.100.101.100 and 10.119.100.100
tcpdump: listening on eth0
10:34:02.757677 10.119.100.100.2243 > 129.100.101.100.160: S 1266685911:1266685911(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
10:34:02.758998 129.100.101.100.160 > 10.119.100.100.2243: S 3526807905:3526807905(0) ack 1266685912 win 5840 <mss 1460,nop,nop,sack OK>(DF)
10:34:02.767588 10.119.100.100.2243 > 129.100.101.100.160: . ack 1 win 17520(DF)
10:34:02.767926 10.119.100.100.2243 > 129.100.101.100.160: P 1:2(1) ack 1 win 17520 (DF)
10:34:02.767975 129.100.101.100.160 > 10.119.100.100.2243: . ack 2 win 5840(DF)
10:34:02.768925 129.100.101.100.160 > 10.119.100.100.2243: R 1:1(0) ack 2 win 5840 (DF)		<---- FAILS HERE

6 packets received by filter
0 packets dropped by kernel

If anyone can make any suggestions it would be highly appreciated. In the meantime, I have asked the technician to carry out a similar TCP dump on the working (local) pair of boxes to see what is supposed to come next in the sequence.

Thanks!

Simon Brindley

unSpawn · 10-26-2003, 05:40 PM

...and what do the firewall logs say? If nothing, then maybe tack on logging rules and open up the firewall to allow traffic from that specific host and then check?

Izzard · 10-27-2003, 03:01 AM

Thank you for replying. This is the top part of a tcpdump from a working connection (from a client in the same building):

Code:

[root@localhost root]# tcpdump host 129.100.200.93 and 129.100.101.102
tcpdump: listening on eth0
10:18:42.511138 129.100.200.93.1676 > 129.100.101.102.160: S 670027130:670027130(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
10:18:42.511207 129.100.101.102.160 > 129.100.200.93.1676: S 510736100:510736100(0) ack 670027131 win 5840 <mss 1460,nop,nop,sackOK> (DF)
10:18:42.511356 129.100.200.93.1676 > 129.100.101.102.160: . ack 1 win 64240 (DF)
10:18:42.512114 129.100.200.93.1676 > 129.100.101.102.160: P 1:2(1) ack 1 win 64240 (DF)
10:18:42.512165 129.100.101.102.160 > 129.100.200.93.1676: . ack 2 win 5840 (DF)
10:18:42.513816 129.100.101.102.160 > 129.100.200.93.1676: P 1:71(70) ack 2 win 5840 (DF)
10:18:42.513979 129.100.200.93.1676 > 129.100.101.102.160: P 2:3(1) ack 71 win 64170 (DF)
10:18:42.529516 129.100.101.102.160 > 129.100.200.93.1676: P 71:73(2) ack 3 win 5840 (DF)
10:18:42.529707 129.100.200.93.1676 > 129.100.101.102.160: P 3:29(26) ack 73 win 64168 (DF)
10:18:42.548691 129.100.101.102.160 > 129.100.200.93.1676: P 73:79(6) ack 29 win 5840 (DF)
10:18:42.554557 129.100.101.102.160 > 129.100.200.93.1676: . 79:1539(1460) ack 29 win 5840 (DF)
10:18:42.554998 129.100.200.93.1676 > 129.100.101.102.160: . ack 1539 win 64240 (DF)
10:18:42.555049 129.100.101.102.160 > 129.100.200.93.1676: P 1539:2232(693) ack 29 win 5840 (DF)
10:18:42.679692 129.100.200.93.1676 > 129.100.101.102.160: . ack 2232 win 63547 (DF)
10:18:42.679767 129.100.101.102.160 > 129.100.200.93.1676: P 2232:2427(195) ack 29 win 5840 (DF)
10:18:42.897534 129.100.101.102.160 > 129.100.200.93.1676: P 2232:2427(195) ack 29 win 5840 (DF)
10:18:42.897747 129.100.200.93.1676 > 129.100.101.102.160: . ack 2427 win 63352 (DF)
10:18:43.617201 129.100.200.93.1676 > 129.100.101.102.160: P 29:30(1) ack 2427 win 63352 (DF)
10:18:43.618807 129.100.101.102.160 > 129.100.200.93.1676: P 2427:2432(5) ack 30 win 5840 (DF)
10:18:43.648576 129.100.200.93.1676 > 129.100.101.102.160: P 30:31(1) ack 2432 win 63347 (DF)
10:18:43.652902 129.100.101.102.160 > 129.100.200.93.1676: P 2432:2437(5) ack 31 win 5840 (DF)
10:18:43.726572 129.100.200.93.1676 > 129.100.101.102.160: P 31:32(1) ack 2437 win 63342 (DF)
10:18:43.757528 129.100.101.102.160 > 129.100.200.93.1676: . ack 32 win 5840 (DF)
10:18:43.773441 129.100.200.93.1676 > 129.100.101.102.160: P 32:33(1) ack 2437 win 63342 (DF)
10:18:43.773482 129.100.101.102.160 > 129.100.200.93.1676: . ack 33 win 5840 (DF)
10:18:43.804671 129.100.200.93.1676 > 129.100.101.102.160: P 33:34(1) ack 2437 win 63342 (DF)
10:18:43.804725 129.100.101.102.160 > 129.100.200.93.1676: . ack 34 win 5840 (DF)
10:18:43.806701 129.100.101.102.160 > 129.100.200.93.1676: P 2437:2442(5) ack 34 win 5840 (DF)
10:18:43.898423 129.100.200.93.1676 > 129.100.101.102.160: P 34:36(2) ack 2442 win 63337 (DF)
10:18:43.899808 129.100.101.102.160 > 129.100.200.93.1676: P 2442:2447(5) ack 36 win 5840 (DF).....(etc)

I've tried with a similar server at another location, even putting the Linux box in the DMZ (and confirming ports are open with grc.com's ShieldsUp) but it still failed to connect. I'm going to try speaking to the makers of the software today but our relationship with them is, let's say, not so brilliant (eg. they won't talk to us because we haven't bought enough from them to earn technical support).