Solved

buffer full. ASA or Server?

Posted on 2007-11-28
20
1,745 Views
Last Modified: 2013-11-16
I have wireshark running on a span port monitoring my ASA outside interface. I put a filter on a certain hosts public IP. Wireshark is reporting tons of TCP retransmissions, a couple of TCP Window Full, even more TCP Zero Window, TCP fast transmissions. I know these have to do with the buffers getting full. I was wondering can I point at the interface on the firewall for these or the server? Any help is appreciated.
0
Comment
Question by:wilsj
  • 10
  • 10
20 Comments
 
LVL 21

Expert Comment

by:from_exp
Comment Utility
show int on pix will give you a lot of info on this toppic
0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
Here is what sh int gi 0/1 looks like.

Interface GigabitEthernet0/1 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps
        Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
        MAC address 001b.d4ca.3d61, MTU 1500
        IP address 216.146.x.x, subnet mask 255.255.255.224
        32444648 packets input, 17962316044 bytes, 0 no buffer
        Received 13728 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        32944848 packets output, 27907749685 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        input queue (curr/max blocks): hardware (0/0) software (0/0)
        output queue (curr/max blocks): hardware (0/31) software (0/0)
  Traffic Statistics for "outside":
        32444630 packets input, 17323833034 bytes
        32944848 packets output, 27301458409 bytes
        259734 packets dropped
      1 minute input rate 289 pkts/sec,  168231 bytes/sec
      1 minute output rate 288 pkts/sec,  213826 bytes/sec
      1 minute drop rate, 1 pkts/sec
      5 minute input rate 185 pkts/sec,  37826 bytes/sec
      5 minute output rate 213 pkts/sec,  205983 bytes/sec
      5 minute drop rate, 2 pkts/sec
0
 
LVL 21

Accepted Solution

by:
from_exp earned 500 total points
Comment Utility
as you can see input/output traffic statistics, your connection is 1 gbps, but traffic speed is relatively small:
168231*8/1000/1000 = 1.4 mbps IN and 1.7 mbps OUT
So it's not a case of buffers being filled up.
TCP retransmissions are common when you have some sort of shaping or rate limiting configured.
it is possible, your ISP is rate limiting you. in this case TCP protocol will try to use comform to allowed bandwidth and you'll see TCP retransmissions.
0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
How about the TCP Window Full and TCP Zero Window errors that wire shark is showing? Those mean the buffer are full right? from your statement above I think these would be coming from the server then?
0
 
LVL 21

Expert Comment

by:from_exp
Comment Utility
nice doc about tcp windows size:
http://dast.nlanr.net/Guides/GettingStarted/TCP_window_size.html
yes, your're right you should pay attention to your server and it's settings
0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
That is a nice article and i check all the settings but all our linux boxes have the latest kernels and are automated for connections. I created an access-list for traffic going to this specific host ont he ASA and capture the traffic do you have any idea what the nop,nop,sack,sack entries are? Are those equivalent to the retransmissions and tcp window full errors im getting in wireshark?


1512: 15:42:23.260957 72.14.85.94.2853 > 216.146.80.168.80: . ack 1098578626 win 65535 <nop,nop,sack sack 1 {1098581426:1098582826} >
1513: 15:42:23.272507 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952862425 win 16800 <nop,nop,sack sack 1 {1952865225:1952866625} >
1514: 15:42:23.283463 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952863825 win 16800 <nop,nop,sack sack 1 {1952865225:1952866625} >
1515: 15:42:23.286301 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952866625 win 14000
1516: 15:42:23.300658 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952866625 win 15400
1517: 15:42:23.300674 72.14.85.94.2853 > 216.146.80.168.80: . ack 1098582826 win 65535
1518: 15:42:23.303802 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952866625 win 16800
1519: 15:42:23.313246 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952868025 win 16800
1520: 15:42:23.315749 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952868025 win 16800 <nop,nop,sack sack 1 {1952870825:1952872225} >
0
 
LVL 21

Expert Comment

by:from_exp
Comment Utility
it seems this way client is trying to maintain session to the server.
nops - mean no operation
0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
So this would indicate a problem coming in not going out right? I created an access-list to capture the traffic both ways the one above only show coming traffic coming in. Here is some output from that. Where I can I find the meanings of the nop, sacks, wscale?


4256: 15:52:03.424050 75.58.40.197.50268 > 216.146.80.168.443: P 514633655:514633678(23) ack 2473192065 win 253
4257: 15:52:03.425698 75.58.40.197.50268 > 216.146.80.168.443: F 514633678:514633678(0) ack 2473192065 win 253
4258: 15:52:03.426018 216.146.80.168.443 > 75.58.40.197.50268: . ack 514633679 win 66
4259: 15:52:03.428231 75.58.40.197.50268 > 216.146.80.168.443: R 514633679:514633679(0) ack 2473192065 win 0
4260: 15:52:03.430489 75.58.40.197.50269 > 216.146.80.168.443: S 3857636567:3857636567(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
4261: 15:52:03.430946 216.146.80.168.443 > 75.58.40.197.50269: S 2610640691:2610640691(0) ack 3857636568 win 5840 <mss 1400,nop,nop,sackOK,nop,wscale 7>
4306: 15:52:03.491887 70.144.231.227.33727 > 216.146.80.168.80: . ack 1401262613 win 65535 <nop,nop,sack sack 2 {1401278013:1401279413}[|tcp]>
4307: 15:52:03.491917 75.58.40.197.50269 > 216.146.80.168.443: P 3857636678:3857636684(6) ack 2610640838 win 256
4308: 15:52:03.491933 75.58.40.197.50269 > 216.146.80.168.443: P 3857636684:3857636745(61) ack 2610640838 win 256
4309: 15:52:03.491948 216.146.80.163.18260 > 205.188.10.178.5190: P 2028587685:2028587691(6) ack 4022720556 win 33407
4310: 15:52:03.492207 216.146.80.163 > 216.21.44.2:  ip-proto-50, length 76
4311: 15:52:03.492390 216.146.80.168.80 > 70.144.231.227.33727: . 1401289213:1401290613(1400) ack 112679557 win 7504
4312: 15:52:03.492574 67.161.87.52.3289 > 216.146.80.168.443: P 3287073500:3287073610(110) ack 1829073855 win 16800
4313: 15:52:03.492604 70.144.231.227.33727 > 216.146.80.168.80: . ack 1401262613 win 65535 <nop,nop,sack sack 2 {1401276613:1401279413}[|tcp]>
4314: 15:52:03.492909 216.146.80.168.443 > 67.161.87.52.3289: . ack 3287073610 win 5840
4315: 15:52:03.493092 216.146.80.168.80 > 70.144.231.227.33727: . 1401290613:1401292013(1400) ack 112679557 win 7504
4316: 15:52:03.493169 216.146.80.168.443 > 67.161.87.52.3289: P 1829073855:1829074001(146) ack 3287073610 win 5840
4319: 15:52:03.499455 70.144.231.227.33727 > 216.146.80.168.80: . ack 1401262613 win 65535 <nop,nop,sack sack 2 {1401272413:1401276613}[|tcp]>
4320: 15:52:03.499531 75.58.40.197.50269 > 216.146.80.168.443: P 3857636745:3857637173(428) ack 2610640838 win 256
0
 
LVL 21

Expert Comment

by:from_exp
Comment Utility
Dunno this time, I had very good book once.
try to check wireshark(ethereal) manual.
I can't see anything bad from the traffic log you have showed

btw, just check "netstat -in" to be sure you're not having any drops on the interface of your server


0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
I don't see any drops on nics of the server either. I now I posted for an ASA but would you happen to know how I would get a capture of the traffic coming into the router? For example on the ASA i can create an access-list and associate a capture to that is there something similar for a 2851 cisco router?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 21

Expert Comment

by:from_exp
Comment Utility
a bit different here. normally you configure so called monitoring port and monitored port on the switch or mirroring and mirrored ports
so you tell switch to mirror all traffic that appears on port A to port B
to port B you attach wireshark and you have all the traffic.
additionally you can specify filter to mirror only specific traffic.
0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
Ok, I don't know if this tells you anything but when I do a ping 216.146.80.168 -l 1400 -t i get reply after reply. But when I raise the packet size to 1475 and up all I get are timeouts. Could this be a potential problem?
0
 
LVL 21

Expert Comment

by:from_exp
Comment Utility
yepp
for every network environment you have MTU (maximum transmission unit).
for example within ethernet MTU is 1500 bytes. if packet is bigger, than it will be fragmented.
when do ping with -l 1400 you set payload for the packet, than additional header of 28 bytes are applied and packet is sent to network with size 1428. when you set payload of 1475, than resulting packet size is 1503 - bigger than MTU. in this case your OS should fragment packet into two pieces and send both of them.
in your case it seem your pc is trying to sent 1503 bytes to network and the packet is blocked somewhere.
0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
ok i created a new capture for first TCP packet not syn. When I do a sh asp drop this seems to be the most dropped traffic and when I look at the capture about 98% are going to the specified host above. Shoud i be allowing this kind of traffic? Does this have anything to do with the traffic arriving out of order maybe?


  1: 09:37:58.596603 128.208.81.60.3146 > 216.146.80.168.443: R 1329208275:1329208275(0) win 0
   2: 09:37:59.132897 128.208.81.60.3147 > 216.146.80.168.443: R 3436283234:3436283234(0) win 0
   3: 09:37:59.698953 128.208.81.60.3148 > 216.146.80.168.443: R 3174027936:3174027936(0) win 0
   4: 09:37:59.814899 75.59.150.99.1443 > 216.21.41.166.8080: R 4217981376:4217981376(0) ack 2463618108 win 0
   5: 09:38:00.094904 70.21.10.33.50301 > 216.146.80.168.443: R 1990236951:1990236951(0) win 0
   6: 09:38:00.190602 128.208.81.60.3149 > 216.146.80.168.443: R 4182034188:4182034188(0) win 0
   7: 09:38:00.503163 192.168.1.85.4455 > 192.168.32.9.443: R 3655882302:3655882302(0) win 0
   8: 09:38:00.746985 128.208.81.60.3150 > 216.146.80.168.443: R 3578404078:3578404078(0) win 0
   9: 09:38:01.219730 128.208.81.60.3151 > 216.146.80.168.443: R 3869359599:3869359599(0) win 0
  10: 09:38:01.716637 128.208.81.60.3152 > 216.146.80.168.443: R 3496157955:3496157955(0) win 0
  11: 09:38:02.185949 128.208.81.60.3153 > 216.146.80.168.443: R 3180395453:3180395453(0) win 0
  12: 09:38:02.727638 128.208.81.60.3154 > 216.146.80.168.443: R 2022051507:2022051507(0) win 0
  13: 09:38:03.246645 128.208.81.60.3155 > 216.146.80.168.443: R 4270195937:4270195937(0) win 0
  14: 09:38:03.548189 216.15.159.50.62604 > 216.21.41.166.25: F 4036857121:4036857121(0) ack 4066860372 win 16469
  15: 09:38:04.095927 128.208.81.60.3156 > 216.146.80.168.443: R 2410403895:2410403895(0) win 0
  16: 09:38:04.643948 128.208.81.60.3157 > 216.146.80.168.443: R 4218078275:4218078275(0) win 0
  17: 09:38:04.981089 75.45.217.170.2068 > 216.146.80.168.443: R 3732781327:3732781327(0) ack 807752051 win 0
  18: 09:38:05.356304 128.208.81.60.3158 > 216.146.80.168.443: R 3434374728:3434374728(0) win 0
  19: 09:38:05.924878 128.208.81.60.3159 > 216.146.80.168.443: R 3414191270:3414191270(0) win 0
  20: 09:38:06.470602 128.208.81.60.3160 > 216.146.80.168.443: R 4086421856:4086421856(0) win 0
  21: 09:38:10.158317 67.137.2.3.1829 > 216.146.80.168.443: R 847526398:847526398(0) win 0
  22: 09:38:10.158362 67.137.2.3.1829 > 216.146.80.168.443: R 847526399:847526399(0) win 0
  23: 09:38:11.474310 67.137.2.3.1830 > 216.146.80.168.443: R 3525828719:3525828719(0) win 0
  24: 09:38:11.579086 192.168.32.9.443 > 72.69.133.251.50757: . ack 8957445 win 65
  25: 09:38:12.174795 216.86.188.235.50278 > 216.146.80.168.443: R 2292942922:2292942922(0) ack 2112806569 win 0
  26: 09:38:12.270234 216.86.188.235.50278 > 216.146.80.168.443: R 2292942922:2292942922(0) win 0
  27: 09:38:12.925626 67.137.2.3.1831 > 216.146.80.168.443: R 1369870491:1369870491(0) win 0
  28: 09:38:13.474172 67.137.2.3.1832 > 216.146.80.168.443: R 2394410424:2394410424(0) win 0
  29: 09:38:14.584671 67.137.2.3.1833 > 216.146.80.168.443: R 906319091:906319091(0) win 0
  30: 09:38:15.136314 67.137.2.3.1834 > 216.146.80.168.443: R 2554919140:2554919140(0) win 0
  31: 09:38:15.604109 67.137.2.3.1835 > 216.146.80.168.443: R 1519278733:1519278733(0) win 0
  32: 09:38:16.048764 67.137.2.3.1836 > 216.146.80.168.443: R 1488504995:1488504995(0) win 0
  33: 09:38:16.472723 67.137.2.3.1837 > 216.146.80.168.443: R 724252455:724252455(0) win 0
  34: 09:38:16.901915 67.137.2.3.1838 > 216.146.80.168.443: R 687272924:687272924(0) win 0
  35: 09:38:17.323378 67.137.2.3.1839 > 216.146.80.168.443: R 3842487420:3842487420(0) win 0
  36: 09:38:17.735069 67.137.2.3.1840 > 216.146.80.168.443: R 4186093823:4186093823(0) win 0
  37: 09:38:18.108118 67.137.2.3.1841 > 216.146.80.168.443: R 3955718652:3955718652(0) win 0
  38: 09:38:18.570801 67.137.2.3.1842 > 216.146.80.168.443: R 2349903884:2349903884(0) win 0
  39: 09:38:19.000259 67.137.2.3.1843 > 216.146.80.168.443: R 4208857933:4208857933(0) win 0
  40: 09:38:19.496022 67.137.2.3.1844 > 216.146.80.168.443: R 3259569670:3259569670(0) win 0
  41: 09:38:19.531314 216.15.159.50.62604 > 216.21.41.166.25: F 4036857121:4036857121(0) ack 4066860372 win 16469
  42: 09:38:19.916517 67.137.2.3.1845 > 216.146.80.168.443: R 3178957911:3178957911(0) win 0
  43: 09:38:20.345761 67.137.2.3.1846 > 216.146.80.168.443: R 2024489868:2024489868(0) win 0
  44: 09:38:20.759131 67.137.2.3.1847 > 216.146.80.168.443: R 2545233001:2545233001(0) win 0
  45: 09:38:21.320295 192.168.1.85.4457 > 192.168.32.9.443: R 754477034:754477034(0) win 0
  46: 09:38:21.380122 192.168.1.85.4458 > 192.168.32.9.443: R 4264280859:4264280859(0) win 0
  47: 09:38:25.258165 67.137.2.3.1848 > 216.146.80.168.443: R 3563880602:3563880602(0) win 0
  48: 09:38:27.906294 67.137.2.3.1849 > 216.146.80.168.443: R 860375051:860375051(0) win 0
  49: 09:38:29.809848 71.217.60.134.1757 > 216.21.41.166.8080: R 1862512940:1862512940(0) win 0
  50: 09:38:29.823916 71.217.60.134.1677 > 216.21.41.166.8080: R 4157317584:4157317584(0) win 0
  51: 09:38:29.833437 71.217.60.134.1756 > 216.21.41.166.8080: R 1692515993:1692515993(0) win 0
  52: 09:38:29.840959 71.217.60.134.1756 > 216.21.41.166.8080: R 1692515993:1692515993(0) win 0
  53: 09:38:30.559648 76.211.236.161.60659 > 216.146.80.168.443: R 2741387118:2741387118(0) win 0
  54: 09:38:30.896895 72.69.133.251.50760 > 216.146.80.168.443: R 2197300486:2197300486(0) ack 901691426 win 0
  55: 09:38:31.116861 72.69.133.251.50761 > 216.146.80.168.443: R 1157828075:1157828075(0) ack 1703811960 win 0
  56: 09:38:32.570649 12.191.191.8.33746 > 216.146.80.168.80: . ack 2112178653 win 65535
  57: 09:38:32.570801 12.191.191.8.33746 > 216.146.80.168.80: . ack 2112178653 win 65535
  58: 09:38:39.401697 71.217.227.199.3647 > 216.146.80.168.443: R 986571586:986571586(0) win 0
  59: 09:38:40.554353 68.165.188.82.50505 > 216.146.80.168.443: R 341434172:341434172(0) ack 1299715543 win 0
  60: 09:38:40.592880 68.165.188.82.50505 > 216.146.80.168.443: R 341434172:341434172(0) win 0
  61: 09:38:44.519458 12.205.207.8.2141 > 216.146.80.168.443: R 1619872954:1619872954(0) win 0
  62: 09:38:44.829180 12.205.207.8.2142 > 216.146.80.168.443: R 2483751133:2483751133(0) win 0
  63: 09:38:45.552248 12.205.207.8.2143 > 216.146.80.168.443: R 2752719645:2752719645(0) win 0
  64: 09:38:45.882751 12.205.207.8.2144 > 216.146.80.168.443: R 1580195651:1580195651(0) win 0
  65: 09:38:46.086222 12.205.207.8.2145 > 216.146.80.168.443: R 3829514314:3829514314(0) win 0
  66: 09:38:46.370311 12.205.207.8.2146 > 216.146.80.168.443: R 2292248548:2292248548(0) win 0
  67: 09:38:46.578659 12.205.207.8.2147 > 216.146.80.168.443: R 1085435740:1085435740(0) win 0
  68: 09:38:46.766210 12.205.207.8.2148 > 216.146.80.168.443: R 2130639099:2130639099(0) win 0
  69: 09:38:47.014312 12.205.207.8.2149 > 216.146.80.168.443: R 460403657:460403657(0) win 0
  70: 09:38:47.251634 12.205.207.8.2150 > 216.146.80.168.443: R 3880362357:3880362357(0) win 0
  71: 09:38:47.439521 12.205.207.8.2151 > 216.146.80.168.443: R 2114706798:2114706798(0) win 0
  72: 09:38:47.654202 12.205.207.8.2152 > 216.146.80.168.443: R 4145308270:4145308270(0) win 0
  73: 09:38:47.870453 12.205.207.8.2153 > 216.146.80.168.443: R 2585192714:2585192714(0) win 0
  74: 09:38:48.180441 12.205.207.8.2154 > 216.146.80.168.443: R 387059254:387059254(0) win 0
  75: 09:38:48.384211 12.205.207.8.2155 > 216.146.80.168.443: R 3632690203:3632690203(0) win 0
  76: 09:38:51.482900 216.15.159.50.62604 > 216.21.41.166.25: F 4036857121:4036857121(0) ack 4066860372 win 16469
  77: 09:38:52.776174 192.168.32.9.443 > 69.127.10.204.52517: . ack 2107586394 win 73
  78: 09:38:53.153007 75.2.10.207.1750 > 216.21.41.166.8080: R 235419526:235419526(0) ack 4133100621 win 0
  79: 09:38:56.427071 71.217.227.199.3647 > 216.146.80.168.443: R 986571586:986571586(0) ack 1808835570 win 0
  80: 09:39:00.513096 70.21.10.33.50302 > 216.146.80.168.443: R 3116868761:3116868761(0) win 0
  81: 09:39:01.266297 192.168.1.114.1847 > 202.173.25.200.443: . ack 877169718 win 0
  82: 09:39:02.468252 192.168.1.108.1227 > 63.245.213.32.443: R 1439709601:1439709601(0) win 0
  83: 09:39:02.563157 67.46.138.185.17593 > 216.21.41.166.995: R 3282617675:3282617675(0) ack 2827275061 win 16000
  84: 09:39:02.864747 69.246.215.188.3506 > 216.146.80.168.443: R 1708735607:1708735607(0) win 0
  85: 09:39:02.864808 69.246.215.188.3506 > 216.146.80.168.443: R 1708735583:1708735583(0) win 0
  86: 09:39:03.703576 192.168.1.114.1848 > 202.173.25.200.443: . ack 603018104 win 0
  87: 09:39:05.490117 68.167.191.128.25051 > 216.21.41.166.80: . ack 3942770484 win 64512
  88: 09:39:05.584244 68.167.191.128.25051 > 216.21.41.166.80: . ack 3942770484 win 64512
  89: 09:39:05.888397 74.135.252.40.2205 > 216.146.80.168.443: R 2566918656:2566918656(0) win 0
  90: 09:39:05.888503 74.135.252.40.2205 > 216.146.80.168.443: R 2566918680:2566918680(0) win 0
  91: 09:39:06.133675 192.168.1.114.1849 > 202.173.25.200.443: . ack 1163974725 win 0
  92: 09:39:06.529177 74.135.252.40.2206 > 216.146.80.168.443: R 2742466841:2742466841(0) win 0
  93: 09:39:07.935452 67.137.2.3.1850 > 216.146.80.168.443: R 2883325510:2883325510(0) win 0
  94: 09:39:07.938519 67.137.2.3.1850 > 216.146.80.168.443: R 2883325511:2883325511(0) win 0
  95: 09:39:08.043347 192.168.9.2.139 > 172.16.1.7.1864: S 2219695796:2219695796(0) ack 1135143469 win 65535 <mss 1460,nop,nop,sackOK>
  96: 09:39:11.258378 192.168.9.2.139 > 172.16.1.7.1864: S 2220484156:2220484156(0) ack 1135143469 win 65535 <mss 1460,nop,nop,sackOK>
  97: 09:39:11.266145 69.214.13.243.1567 > 216.21.41.166.80: R 1503803842:1503803842(0) ack 437442379 win 0
  98: 09:39:12.536837 216.86.188.235.50281 > 216.146.80.168.443: R 3957800035:3957800035(0) ack 2516851838 win 0
  99: 09:39:12.617109 216.86.188.235.50281 > 216.146.80.168.443: R 3957800034:3957800034(0) win 0
 100: 09:39:12.619688 216.86.188.235.50281 > 216.146.80.168.443: R 3957800035:3957800035(0) win 0
 101: 09:39:12.658901 68.100.116.65.1315 > 216.146.80.168.443: R 279822917:279822917(0) win 0
 102: 09:39:15.394129 88.226.226.42.49629 > 216.21.41.166.25: R 904198567:904198567(0) ack 3114427033 win 24000
 103: 09:39:18.187047 98.17.60.111.61530 > 216.146.80.168.443: R 3150177098:3150177098(0) ack 1002619057 win 0
 104: 09:39:18.222354 98.17.60.111.61530 > 216.146.80.168.443: R 3150177098:3150177098(0) win 0
 105: 09:39:19.669307 66.84.192.148.1356 > 216.21.41.166.8080: . ack 3972611002 win 65535
 106: 09:39:25.074809 192.168.11.66.139 > 172.16.1.7.1867: S 2847876568:2847876568(0) ack 1905013772 win 5840 <mss 1460,nop,nop,sackOK>
 107: 09:39:25.930829 74.135.252.40.2209 > 216.146.80.168.443: R 1669995117:1669995117(0) win 0
 108: 09:39:25.934476 74.135.252.40.2209 > 216.146.80.168.443: R 1669995141:1669995141(0) win 0
 109: 09:39:26.109170 74.135.252.40.2210 > 216.146.80.168.443: R 4201762158:4201762158(0) win 0
 110: 09:39:26.168661 216.86.188.235.50283 > 216.146.80.168.443: R 3372020103:3372020103(0) ack 2485184734 win 0
 111: 09:39:26.251558 216.86.188.235.50283 > 216.146.80.168.443: R 3372020103:3372020103(0) win 0
 112: 09:39:26.545412 192.168.32.9.443 > 216.86.188.235.50284: . ack 800001937 win 77
 113: 09:39:30.274842 76.211.236.161.60663 > 216.146.80.168.443: R 449589406:449589406(0) win 0
 114: 09:39:31.957714 192.168.32.9.443 > 72.170.88.73.13799: . ack 2677729529 win 7872
 115: 09:39:32.154182 72.170.88.73.13799 > 216.146.80.168.443: R 3951362727:3951362727(0) win 0
 116: 09:39:32.154243 72.170.88.73.13799 > 216.146.80.168.443: R 3951362728:3951362728(0) win 0
 117: 09:39:41.727074 216.86.188.235.50285 > 216.146.80.168.443: R 3970542377:3970542377(0) ack 2741432436 win 0
 118: 09:39:41.789311 216.86.188.235.50285 > 216.146.80.168.443: R 3970542353:3970542353(0) win 0
 119: 09:39:41.812366 216.86.188.235.50285 > 216.146.80.168.443: R 3970542376:3970542376(0) win 0
 120: 09:39:41.814700 216.86.188.235.50285 > 216.146.80.168.443: R 3970542377:3970542377(0) win 0
 121: 09:39:45.889190 66.109.157.108.3093 > 216.146.80.168.443: R 2182397099:2182397099(0) win 0
 122: 09:39:45.889251 66.109.157.108.3093 > 216.146.80.168.443: R 2182397123:2182397123(0) win 0
 123: 09:39:47.579941 68.196.217.103.2946 > 216.146.80.168.443: R 1038675694:1038675694(0) win 0
 124: 09:39:53.242495 192.168.32.9.443 > 69.127.10.204.52518: . ack 1196786678 win 65
 125: 09:39:54.476843 192.168.1.85.4460 > 192.168.32.9.443: R 1723982673:1723982673(0) win 0
 126: 09:39:54.476888 192.168.1.85.4460 > 192.168.32.9.443: R 1723982674:1723982674(0) win 0
 127: 09:39:55.636289 192.168.1.85.4461 > 192.168.32.9.443: R 1642188085:1642188085(0) win 0
 128: 09:39:57.760916 192.168.32.9.443 > 69.146.204.143.49914: . ack 1506323643 win 65
 129: 09:39:58.099726 192.168.3.65.39253 > 69.20.104.197.80: R 3811859075:3811859075(0) win 0
 130: 09:40:00.120172 192.168.1.85.4462 > 192.168.32.9.443: R 1817508311:1817508311(0) win 0
 131: 09:40:00.758032 68.196.217.103.2948 > 216.146.80.168.443: R 3533754946:3533754946(0) win 0
 132: 09:40:00.992075 68.196.217.103.2949 > 216.146.80.168.443: R 3121528541:3121528541(0) win 0
 133: 09:40:05.119027 75.45.217.170.2069 > 216.146.80.168.443: R 2011103626:2011103626(0) ack 2423109281 win 0
 134: 09:40:05.232806 70.57.145.128.14810 > 216.146.80.168.80: . ack 1457979559 win 16486
 135: 09:40:05.469061 70.57.145.128.14822 > 216.146.80.168.80: . ack 1846172058 win 16486
135 packets shown
0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
As you can see above this is also happening inside as well. host 192.168.1.85 > 192.168.32.9
0
 
LVL 21

Expert Comment

by:from_exp
Comment Utility
Wilsj what do you mean "this is also happening inside as well. host 192.168.1.85 > 192.168.32.9"

what I can see from your capture - a lot of rst packets. Without having full picture, i can allow two things here:
one client are terminating connections in such a rude way or your server is bombing client with some data and clients just saying "get off me"

0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
Oh, I just meant it is the same host 32.9 is the dmz addres for the 216.146.80.168 public.
0
 
LVL 21

Expert Comment

by:from_exp
Comment Utility
ok, i got you!
But anyway I can't see any bad things happening here
0
 
LVL 5

Author Comment

by:wilsj
Comment Utility
Ok, thanks for all your help. I would give you a 1000 points if I could. Always appreciated.
0
 
LVL 21

Expert Comment

by:from_exp
Comment Utility
Thanks!
Good luck!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now