What could be causing SYN_ACK's to be delayed from certain clients?

fizzdandantilus · 02-18-2010, 05:49 PM

Hi,

I'm having a problem with TCP connections taking a long time to establish, often timing out. The strange thing is it seems to only happen on some source workstations and not others in our LAN but not from home or other internet connections.

I can see the SYN packet leave the source workstation, enter the firewall LAN interface, leave the firewall WAN interface and arrive at the destination server's interface. Then the SYN ACK packet doesn't get sent for 2 to 300 seconds. Once I see the SYN ACK sent from the server, the connection is ESTABLISHED.

I'm hoping someone can help me diagnose the source of the problem.

anomie · 02-18-2010, 05:56 PM

Are you able to sniff packets on the server side? Or are you just assuming the SYN packet arrived there?

If the former, this will be a lot easier to troubleshoot. What application(s) are you seeing this behavior with? Can you reproduce the problem with an arbitrary netcat listener on the server? See the nc(1) manpages if you're not familiar with it.

nimnull22 · 02-18-2010, 06:02 PM

SYN + ACK flag set sends by TCP client, which received SYN.
Why? You have to monitor what is going on on the other side, where your client sent SYN.

fizzdandantilus · 02-19-2010, 12:25 AM

Thanks for your replies.

Applications are SSHD and HTTPD, possibly others, but I tried a nc connection a number of times like you suggested using port 6686 and it's doing the same thing (see tcpdumps below) some times connecting others not.

I am able to run tcpdump on the destination server and I do see the SYN packet arrive, but no SYN ACK leave for some time, as you can see in the successful connection dump, it takes 21 seconds to respond with the SYN ACK.

It doesn't seem to happen with windows source machines though, which makes absolutely no sense to me, I'm seeing it on Linux and Mac OSX machines.

Timed out - tcpdump

Code:

17:05:21.545294 IP source.interface.net.53219 > destination.interface.com.6686: S 1019474965:1019474965(0) win 5840 <mss 1452,sackOK,timestamp 104729087 0,nop,wscale 3>
17:05:24.608754 IP source.interface.net.53219 > destination.interface.com.6686: S 1019474965:1019474965(0) win 5840 <mss 1452,sackOK,timestamp 104732087 0,nop,wscale 3>
17:05:30.569673 IP source.interface.net.53219 > destination.interface.com.6686: S 1019474965:1019474965(0) win 5840 <mss 1452,sackOK,timestamp 104738087 0,nop,wscale 3>
17:05:42.655230 IP source.interface.net.53219 > destination.interface.com.6686: S 1019474965:1019474965(0) win 5840 <mss 1452,sackOK,timestamp 104750087 0,nop,wscale 3>
17:06:06.534508 IP source.interface.net.53219 > destination.interface.com.6686: S 1019474965:1019474965(0) win 5840 <mss 1452,sackOK,timestamp 104774087 0,nop,wscale 3>
17:06:54.527179 IP source.interface.net.51545 > destination.interface.com.6686: S 1019474965:1019474965(0) win 5840 <mss 1452,sackOK,timestamp 104822087 0,nop,wscale 3>

Successful - tcpdump

Code:

17:09:24.224013 IP source.interface.net.61725 > destination.interface.com.6686: S 1263216290:1263216290(0) win 5840 <mss 1452,sackOK,timestamp 104971796 0,nop,wscale 3>
17:09:27.322690 IP source.interface.net.61725 > destination.interface.com.6686: S 1263216290:1263216290(0) win 5840 <mss 1452,sackOK,timestamp 104974797 0,nop,wscale 3>
17:09:33.221183 IP source.interface.net.61725 > destination.interface.com.6686: S 1263216290:1263216290(0) win 5840 <mss 1452,sackOK,timestamp 104980797 0,nop,wscale 3>
17:09:45.261955 IP source.interface.net.61725 > destination.interface.com.6686: S 1263216290:1263216290(0) win 5840 <mss 1452,sackOK,timestamp 104992797 0,nop,wscale 3>
17:09:45.262008 IP destination.interface.com.6686 > source.interface.net.61725: S 4059602422:4059602422(0) ack 1263216291 win 5792 <mss 1460,sackOK,timestamp 2534800086 104992797,nop,wscale 7>
17:09:45.455884 IP source.interface.net.61725 > destination.interface.com.6686: . ack 1 win 730 <nop,nop,timestamp 104993033 2534800086>

nimnull22 · 02-19-2010, 10:51 AM

What about PING, IPv6, firewall, filters, routing ...
What difference tcpdump shows when connection is made by win.?
What about other services? TELNET sessions?

devwatchdog · 02-19-2010, 11:54 AM

I'd look to see if there is any icmp traffic coming back.

Also, I'd use mtr and tcptraceroute to see if there is any odd behavior. I would also run those commands from the server back toward the source systems.

Offhand, seeing the traffic arrives at your server, and isn't being returned promptly I'd be inclined to believe your server is is the problem. I've seen similar activity on networks where there are routing conflicts, but seeing the Windows systems you have tested with do not exhibit this problem I doubt that is the issue.

I'd also look into whatever the service the server is running for clues. Check the log files it has, or if that isn't enough, enable debugging.

Hmmnn..something else that comes to mind, although it's just a shot in the dark -- does the environment where your server is located have any sort of an IDS/IPS?

fizzdandantilus · 02-19-2010, 06:18 PM

To follow up on what has been said.
Pings work all the time from all source machines to all destination servers.
Neither source or destination machines have IPv6 enabled.
Telnetd is not running on the destination. But I think the netcat test indicated it was an issue at the TCP level rather than at application.

Apart from iptables on the destination server I doubt there are any IDS/IPS systems in front.

To add even more confusion I have some source linux server (metal and virtual machine) (all linux are centos 5, including the destinations) which seems to always connect on all protocols through the same gateway. While if I change the gateway on the problem source machines to our secondary slow internet link, they work.

As the source machine is behind NAT I cannot trace all the way back to the source machine but to the WAN interface on the firewall.

mtr did show high packet loss coming from the destination back to the source network, which is strange. But it doesn't explain why the server isn't sending the SYN ACK. It would if it was sending them and they weren't arriving.

mtr from destination back to source

Code:

destination.interface.com           Snt: 50    Loss%  Last   Avg  Best  Wrst StDev
dr1.dg1.phoenix.abac.net                     58.0%   1.5   1.9   1.4   6.5   1.2
69.64.66.25                                  60.0%   4.8   1.0   0.5   4.8   1.0
network-69-16-135-201.phx1.puregig.net       60.0%   0.5   0.4   0.3   0.6   0.1
ve1011.r2.ph.hwng.net                        60.0%   0.4   4.0   0.3  15.6   4.6
2-1.r1.la.hwng.net                           60.0%  17.1  13.2  10.1  20.4   3.6
gi1--1.wil04.net.reach.com                   68.0%  10.1   9.9   9.6  10.7   0.3
i-0-0-0.wil-core03.bi.reach.com              68.0%  10.1   9.9   9.7  10.1   0.2
i-10-0-0.sydp-core01.bx.reach.com            68.0% 157.4 157.5 157.3 157.9   0.2
TenGigE0-2-0-7.pad-gw1.Sydney.telstra.net    66.0% 158.4 158.3 157.9 158.7   0.2
Bundle-Ether3.chw-core2.Sydney.telstra.net   62.0% 164.1 164.2 163.7 164.7   0.3
GigaBitEthernet0-2.ken20.Sydney.telstra.net  66.0% 163.5 163.4 163.2 163.7   0.1
source.wan.interface.net                       72.0% 185.6 185.9 185.4 186.7   0.3

mtr from source to destination

Code:

source.host            Snt: 50    Loss%  Last   Avg  Best  Wrst StDev
gw.local.lan                                  0.0%   0.2   0.2   0.2   2.6   0.3
Loopback1.ken10.Sydney.telstra.net            0.0%  27.3  29.1  27.3  74.2   6.5
TenGigE0-1-0-2.ken-core4.Sydney.telstra.net   0.0%  28.2  30.0  28.0  70.0   6.6
Bundle-Ether1.pad-gw2.Sydney.telstra.net      0.0%  29.5  28.8  28.0  31.1   0.4
TenGigabitEthernet1-0.sydp-core02.Sydney.rea  0.0%  28.0  28.4  27.8  29.4   0.4
i-2-0-1.wil-core02.bx.reach.com               0.0% 176.9 177.4 176.7 178.9   0.4
i-1-2.tlot03.bi.reach.com                     0.0% 175.9 178.4 175.6 279.4  14.6
???                                          100.0   0.0   0.0   0.0   0.0   0.0
xe-1-2-0.er1.lax9.us.above.net                0.0% 183.0 186.2 182.2 240.6  11.9
ge-2-1-0.mpr3.lax9.us.above.net               0.0% 182.5 183.8 182.3 205.4   3.9
xe-1-1-0.mpr3.phx2.us.above.net               0.0% 191.1 194.1 190.4 240.0  10.6
xe-0-0-0.mpr4.phx2.us.above.net               0.0% 185.2 188.0 184.3 220.7   8.9
64.124.178.250.allocated.above.net            0.0% 192.3 199.4 191.2 313.6  25.9
gi1-45.dr1.dg1.phoenix.abac.net               2.0% 191.9 194.3 191.4 246.9   8.7
destination.interface.com                     2.0% 186.0 186.8 185.3 226.0   5.8

anomie · 02-19-2010, 06:29 PM

Two more questions:

Can you temporarily flush your (server) iptables ruleset and test again to see if the problem persists?
Have you been tweaking any sysctl MIBs on the server?

---

edit: Just noticed this:

Quote:

To add even more confusion I have some source linux server (metal and virtual machine) (all linux are centos 5, including the destinations) which seems to always connect on all protocols through the same gateway. While if I change the gateway on the problem source machines to our secondary slow internet link, they work.

Argh. So if I understand correctly, going over a particular network path (ISP #1) the problem exists, but over a different network path (ISP #2), the problem does not. Right?

nimnull22 · 02-19-2010, 07:12 PM

Do please tcpdump, but with options:
tcpdump -nn -vv

On side which receive SYN, post an output please.

devwatchdog · 02-19-2010, 09:23 PM

Quote:

Originally Posted by fizzdandantilus

To follow up on what has been said.
Pings work all the time from all source machines to all destination servers.

When I mentioned icmp, I wasn't referring to pings so much as networking messages being returned. If there is an MTU issue or something of that nature you could see icmp messages being returned on the source side. If you don't allow that traffic through your firewall, you might not see it. Might be worth checking the public interface on the firewall to see if there is any related traffic.

Quote:

Neither source or destination machines have IPv6 enabled.
Telnetd is not running on the destination. But I think the netcat test indicated it was an issue at the TCP level rather than at application.

Apart from iptables on the destination server I doubt there are any IDS/IPS systems in front.

I agree with you on the netcat test indicating it is more than likely a tcp/network related issue.

Quote:

To add even more confusion I have some source linux server (metal and virtual machine) (all linux are centos 5, including the destinations) which seems to always connect on all protocols through the same gateway. While if I change the gateway on the problem source machines to our secondary slow internet link, they work.

As the source machine is behind NAT I cannot trace all the way back to the source machine but to the WAN interface on the firewall.

mtr did show high packet loss coming from the destination back to the source network, which is strange. But it doesn't explain why the server isn't sending the SYN ACK. It would if it was sending them and they weren't arriving.

The mtr results show some definite problems with that network. No matter what I'd be contacting my ISP and asking questions about that.

The reason I suggested tcptraceroute is that it is tcp based, whereas mtr is icmp as I recall.

And you're right about the problem with the response to the traffic. The network can't drop what isn't being sent.

On the server side, is there anywhere else the traffic could be routed? Do you have any sort of VPN tunnels to it? Are there any other interfaces with routes that could cause a problem?

nimnull22 suggested a more detailed tcpdump, but I'd take it further than what he recommended. Might as well get everything. Try this:

tcpdump -s 0 -Xevvvnni eth0 host <host IP> and port <port #>

You'll see plenty of information, but it could provide some helpful details. You might also capture traffic exiting your firewall on the source side and compare it against the traffic arriving at your server.

fizzdandantilus · 02-21-2010, 05:31 PM

This morning it took about 12 successful connections before capturing this failure.

nc port 6686 test with tcpdump -s 0 -Xevvvnni eth0

Code:

10:02:44.353392 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl  50, id 4842, offset 0, flags [DF], proto: TCP (6), length: 60) source.ip.address.61367 > destination.ip.address.6686: S, cksum 0xa03d (correct), 3371318105:3371318105(0) win 5840 <mss 1452,sackOK,timestamp 112763341 0,nop,wscale 3>
	0x0000:  4500 003c 12ea 4000 3206 5b7b a5e4 9a1b  E..<..@.2.[{....
	0x0010:  4540 5517 efb7 1a1e c8f2 3b59 0000 0000  E@U.......;Y....
	0x0020:  a002 16d0 a03d 0000 0204 05ac 0402 080a  .....=..........
	0x0030:  06b8 a1cd 0000 0000 0103 0303            ............
10:02:47.347827 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl  50, id 27385, offset 0, flags [DF], proto: TCP (6), length: 60) source.ip.address.61367 > destination.ip.address.6686: S, cksum 0x9485 (correct), 3371318105:3371318105(0) win 5840 <mss 1452,sackOK,timestamp 112766341 0,nop,wscale 3>
	0x0000:  4500 003c 6af9 4000 3206 036c a5e4 9a1b  E..<j.@.2..l....
	0x0010:  4540 5517 efb7 1a1e c8f2 3b59 0000 0000  E@U.......;Y....
	0x0020:  a002 16d0 9485 0000 0204 05ac 0402 080a  ................
	0x0030:  06b8 ad85 0000 0000 0103 0303            ............
10:02:53.349749 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl  50, id 48599, offset 0, flags [DF], proto: TCP (6), length: 60) source.ip.address.61367 > destination.ip.address.6686: S, cksum 0x7d15 (correct), 3371318105:3371318105(0) win 5840 <mss 1452,sackOK,timestamp 112772341 0,nop,wscale 3>
	0x0000:  4500 003c bdd7 4000 3206 b08d a5e4 9a1b  E..<..@.2.......
	0x0010:  4540 5517 efb7 1a1e c8f2 3b59 0000 0000  E@U.......;Y....
	0x0020:  a002 16d0 7d15 0000 0204 05ac 0402 080a  ....}...........
	0x0030:  06b8 c4f5 0000 0000 0103 0303            ............
10:03:05.343352 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl  50, id 27764, offset 0, flags [DF], proto: TCP (6), length: 60) source.ip.address.61367 > destination.ip.address.6686: S, cksum 0x4e35 (correct), 3371318105:3371318105(0) win 5840 <mss 1452,sackOK,timestamp 112784341 0,nop,wscale 3>
	0x0000:  4500 003c 6c74 4000 3206 01f1 a5e4 9a1b  E..<lt@.2.......
	0x0010:  4540 5517 efb7 1a1e c8f2 3b59 0000 0000  E@U.......;Y....
	0x0020:  a002 16d0 4e35 0000 0204 05ac 0402 080a  ....N5..........
	0x0030:  06b8 f3d5 0000 0000 0103 0303            ............
10:03:29.335820 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl  50, id 29918, offset 0, flags [DF], proto: TCP (6), length: 60) source.ip.address.61367 > destination.ip.address.6686: S, cksum 0xf074 (correct), 3371318105:3371318105(0) win 5840 <mss 1452,sackOK,timestamp 112808341 0,nop,wscale 3>
	0x0000:  4500 003c 74de 4000 3206 f986 a5e4 9a1b  E..<t.@.2.......
	0x0010:  4540 5517 efb7 1a1e c8f2 3b59 0000 0000  E@U.......;Y....
	0x0020:  a002 16d0 f074 0000 0204 05ac 0402 080a  .....t..........
	0x0030:  06b9 5195 0000 0000 0103 0303            ..Q.........
10:04:17.331478 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl  50, id 54429, offset 0, flags [DF], proto: TCP (6), length: 60) source.ip.address.61447 > destination.ip.address.6686: S, cksum 0x34a4 (correct), 3371318105:3371318105(0) win 5840 <mss 1452,sackOK,timestamp 112856341 0,nop,wscale 3>
	0x0000:  4500 003c d49d 4000 3206 99c7 a5e4 9a1b  E..<..@.2.......
	0x0010:  4540 5517 f007 1a1e c8f2 3b59 0000 0000  E@U.......;Y....
	0x0020:  a002 16d0 34a4 0000 0204 05ac 0402 080a  ....4...........
	0x0030:  06ba 0d15 0000 0000 0103 0303            ............

Here is a dump using another client that has never had problems connecting using the same gateway as the failed above.

Code:

10:22:43.754561 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl  50, id 25957, offset 0, flags [DF], proto: TCP (6), length: 60) source.ip.address.50192 > destination.ip.address.6686: S, cksum 0x5aea (correct), 2391746460:2391746460(0) win 5840 <mss 1452,sackOK,timestamp 517621954 0,nop,wscale 7>
	0x0000:  4500 003c 6565 4000 3206 0900 a5e4 9a1b  E..<ee@.2.......
	0x0010:  4540 5517 c410 1a1e 8e8f 279c 0000 0000  E@U.......'.....
	0x0020:  a002 16d0 5aea 0000 0204 05ac 0402 080a  ....Z...........
	0x0030:  1eda 48c2 0000 0000 0103 0307            ..H.........
10:22:43.754646 00:16:3e:79:4a:c9 > 00:00:0c:07:ac:02, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) destination.ip.address.6686 > source.ip.address.50192: S, cksum 0x39f3 (correct), 2866236669:2866236669(0) ack 2391746461 win 5792 <mss 1460,sackOK,timestamp 2593492643 517621954,nop,wscale 7>
	0x0000:  4500 003c 0000 4000 4006 6065 4540 5517  E..<..@.@.`eE@U.
	0x0010:  a5e4 9a1b 1a1e c410 aad7 4cfd 8e8f 279d  ..........L...'.
	0x0020:  a012 16a0 39f3 0000 0204 05b4 0402 080a  ....9...........
	0x0030:  9a95 8ea3 1eda 48c2 0103 0307            ......H.....
10:22:43.940960 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  50, id 55139, offset 0, flags [DF], proto: TCP (6), length: 52) source.ip.address.50192 > destination.ip.address.6686: ., cksum 0x7f03 (correct), 1:1(0) ack 1 win 46 <nop,nop,timestamp 517622000 2593492643>
	0x0000:  4500 0034 d763 4000 3206 9709 a5e4 9a1b  E..4.c@.2.......
	0x0010:  4540 5517 c410 1a1e 8e8f 279d aad7 4cfe  E@U.......'...L.
	0x0020:  8010 002e 7f03 0000 0101 080a 1eda 48f0  ..............H.
	0x0030:  9a95 8ea3                                ....
10:22:46.583109 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl  50, id 44609, offset 0, flags [DF], proto: TCP (6), length: 57) source.ip.address.50192 > destination.ip.address.6686: P, cksum 0x8a88 (correct), 1:6(5) ack 1 win 46 <nop,nop,timestamp 517622660 2593492643>
	0x0000:  4500 0039 ae41 4000 3206 c026 a5e4 9a1b  E..9.A@.2..&....
	0x0010:  4540 5517 c410 1a1e 8e8f 279d aad7 4cfe  E@U.......'...L.
	0x0020:  8018 002e 8a88 0000 0101 080a 1eda 4b84  ..............K.
	0x0030:  9a95 8ea3 7465 7374 0a                   ....test.
10:22:46.583135 00:16:3e:79:4a:c9 > 00:00:0c:07:ac:02, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  64, id 49708, offset 0, flags [DF], proto: TCP (6), length: 52) destination.ip.address.6686 > source.ip.address.50192: ., cksum 0x79a6 (correct), 1:1(0) ack 6 win 46 <nop,nop,timestamp 2593493351 517622660>
	0x0000:  4500 0034 c22c 4000 4006 9e40 4540 5517  E..4.,@.@..@E@U.
	0x0010:  a5e4 9a1b 1a1e c410 aad7 4cfe 8e8f 27a2  ..........L...'.
	0x0020:  8010 002e 79a6 0000 0101 080a 9a95 9167  ....y..........g
	0x0030:  1eda 4b84                                ..K.
10:22:49.832212 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  50, id 4090, offset 0, flags [DF], proto: TCP (6), length: 52) source.ip.address.50192 > destination.ip.address.6686: F, cksum 0x7678 (correct), 6:6(0) ack 1 win 46 <nop,nop,timestamp 517623473 2593493351>
	0x0000:  4500 0034 0ffa 4000 3206 5e73 a5e4 9a1b  E..4..@.2.^s....
	0x0010:  4540 5517 c410 1a1e 8e8f 27a2 aad7 4cfe  E@U.......'...L.
	0x0020:  8011 002e 7678 0000 0101 080a 1eda 4eb1  ....vx........N.
	0x0030:  9a95 9167                                ...g
10:22:49.832335 00:16:3e:79:4a:c9 > 00:00:0c:07:ac:02, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  64, id 49709, offset 0, flags [DF], proto: TCP (6), length: 52) destination.ip.address.6686 > source.ip.address.50192: F, cksum 0x734b (correct), 1:1(0) ack 7 win 46 <nop,nop,timestamp 2593494163 517623473>
	0x0000:  4500 0034 c22d 4000 4006 9e3f 4540 5517  E..4.-@.@..?E@U.
	0x0010:  a5e4 9a1b 1a1e c410 aad7 4cfe 8e8f 27a3  ..........L...'.
	0x0020:  8011 002e 734b 0000 0101 080a 9a95 9493  ....sK..........
	0x0030:  1eda 4eb1                                ..N.
10:22:50.018599 00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl  50, id 41895, offset 0, flags [DF], proto: TCP (6), length: 52) source.ip.address.50192 > destination.ip.address.6686: ., cksum 0x731c (correct), 7:7(0) ack 2 win 46 <nop,nop,timestamp 517623520 2593494163>
	0x0000:  4500 0034 a3a7 4000 3206 cac5 a5e4 9a1b  E..4..@.2.......
	0x0010:  4540 5517 c410 1a1e 8e8f 27a3 aad7 4cff  E@U.......'...L.
	0x0020:  8010 002e 731c 0000 0101 080a 1eda 4ee0  ....s.........N.
	0x0030:  9a95 9493                                ....

It looks like our ISP Telstra doesn't allow tcptracroute as it goes dead at their gateway. I'm really stumped... As i mentioned before I can see the SYN packet leaving the client arriving at the LAN interface of our router (pfsense) leave the router on the WAN port arrive at the destination server then unless a SYN ACK is sent back from that destination there is no connection. It shouldn't happen.

The only sysctl options that have been changed are:
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_tw_recycle = 1
The rest are default Centos 5.

Also note I have tried flushing iptables on the destination and it made no difference.

devwatchdog · 02-22-2010, 09:32 AM

Hello fizzdandantilus.

I can only imagine how frustrating this must be.

I looked over the captures you provided, and a few things stood out. One was how the MAC address to which your server responds changes.

The initial packet:

00:19:e8:e9:03:3f > 00:16:3e:79:4a:c9

Then the response:

00:16:3e:79:4a:c9 > 00:00:0c:07:ac:02

I don't know if that is something that is out of the ordinary, as the environment where your server is hosted is probably set up that way.

The other difference I noticed is the wscale values. We only have one successful capture in the thread, which shows the inbound and outbound wscale value set to 7. The connection attempts that fail show wscale values of 3, and the one where you show a response that did work after an extended period of time shows a response wscale value of 7.

I don't know if that has anything to do with this problem, but it could. I am going to do a bit of reading on the subject and see if I can gain a better understanding of it. I see a some hits on a search where others have had problems with it.

fizzdandantilus · 02-22-2010, 06:12 PM

00:00:0C:07:AC:02 is the ISP gateway interface and 00:19:e8:e9:03:3f must be another of the ISP routers (multi-homed). It's the only way I can explain it. I can dig further if you think it is worth looking into further.

I can confirm that the destination host has MAC 00:16:3E:79:4A:C9.

I do not understand TCP/IP networking enough to know what wscale is for. I appreciate all your efforts to help understand this issue.

nimnull22 · 02-22-2010, 06:25 PM

Quote:

Originally Posted by fizzdandantilus

...
Here is a dump using another client that has never had problems connecting using the same gateway as the failed above.
...

Can you please, explain the difference between "client that has never had problems" and other with problem.

Thanks

fizzdandantilus · 02-22-2010, 07:21 PM

OK, so I have a number of different workstations (Mac, Linux and Windows) on my LAN. The slow to connect/timed out seem to be predominantly Macs and Linux machines. I have not seen this issue with a Windows box yet, but I don't usually use one.

Although I have one linux box that never displays the connect issues. This is the one I use in my testing and refer to in the previous post.