Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2339
  • Last Modified:

buffer full. ASA or Server?

I have wireshark running on a span port monitoring my ASA outside interface. I put a filter on a certain hosts public IP. Wireshark is reporting tons of TCP retransmissions, a couple of TCP Window Full, even more TCP Zero Window, TCP fast transmissions. I know these have to do with the buffers getting full. I was wondering can I point at the interface on the firewall for these or the server? Any help is appreciated.
0
wilsj
Asked:
wilsj
  • 10
  • 10
1 Solution
 
from_expCommented:
show int on pix will give you a lot of info on this toppic
0
 
wilsjAuthor Commented:
Here is what sh int gi 0/1 looks like.

Interface GigabitEthernet0/1 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps
        Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
        MAC address 001b.d4ca.3d61, MTU 1500
        IP address 216.146.x.x, subnet mask 255.255.255.224
        32444648 packets input, 17962316044 bytes, 0 no buffer
        Received 13728 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        32944848 packets output, 27907749685 bytes, 0 underruns
        0 output errors, 0 collisions
        0 late collisions, 0 deferred
        input queue (curr/max blocks): hardware (0/0) software (0/0)
        output queue (curr/max blocks): hardware (0/31) software (0/0)
  Traffic Statistics for "outside":
        32444630 packets input, 17323833034 bytes
        32944848 packets output, 27301458409 bytes
        259734 packets dropped
      1 minute input rate 289 pkts/sec,  168231 bytes/sec
      1 minute output rate 288 pkts/sec,  213826 bytes/sec
      1 minute drop rate, 1 pkts/sec
      5 minute input rate 185 pkts/sec,  37826 bytes/sec
      5 minute output rate 213 pkts/sec,  205983 bytes/sec
      5 minute drop rate, 2 pkts/sec
0
 
from_expCommented:
as you can see input/output traffic statistics, your connection is 1 gbps, but traffic speed is relatively small:
168231*8/1000/1000 = 1.4 mbps IN and 1.7 mbps OUT
So it's not a case of buffers being filled up.
TCP retransmissions are common when you have some sort of shaping or rate limiting configured.
it is possible, your ISP is rate limiting you. in this case TCP protocol will try to use comform to allowed bandwidth and you'll see TCP retransmissions.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
wilsjAuthor Commented:
How about the TCP Window Full and TCP Zero Window errors that wire shark is showing? Those mean the buffer are full right? from your statement above I think these would be coming from the server then?
0
 
from_expCommented:
nice doc about tcp windows size:
http://dast.nlanr.net/Guides/GettingStarted/TCP_window_size.html
yes, your're right you should pay attention to your server and it's settings
0
 
wilsjAuthor Commented:
That is a nice article and i check all the settings but all our linux boxes have the latest kernels and are automated for connections. I created an access-list for traffic going to this specific host ont he ASA and capture the traffic do you have any idea what the nop,nop,sack,sack entries are? Are those equivalent to the retransmissions and tcp window full errors im getting in wireshark?


1512: 15:42:23.260957 72.14.85.94.2853 > 216.146.80.168.80: . ack 1098578626 win 65535 <nop,nop,sack sack 1 {1098581426:1098582826} >
1513: 15:42:23.272507 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952862425 win 16800 <nop,nop,sack sack 1 {1952865225:1952866625} >
1514: 15:42:23.283463 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952863825 win 16800 <nop,nop,sack sack 1 {1952865225:1952866625} >
1515: 15:42:23.286301 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952866625 win 14000
1516: 15:42:23.300658 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952866625 win 15400
1517: 15:42:23.300674 72.14.85.94.2853 > 216.146.80.168.80: . ack 1098582826 win 65535
1518: 15:42:23.303802 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952866625 win 16800
1519: 15:42:23.313246 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952868025 win 16800
1520: 15:42:23.315749 68.102.178.110.2066 > 216.146.80.168.80: . ack 1952868025 win 16800 <nop,nop,sack sack 1 {1952870825:1952872225} >
0
 
from_expCommented:
it seems this way client is trying to maintain session to the server.
nops - mean no operation
0
 
wilsjAuthor Commented:
So this would indicate a problem coming in not going out right? I created an access-list to capture the traffic both ways the one above only show coming traffic coming in. Here is some output from that. Where I can I find the meanings of the nop, sacks, wscale?


4256: 15:52:03.424050 75.58.40.197.50268 > 216.146.80.168.443: P 514633655:514633678(23) ack 2473192065 win 253
4257: 15:52:03.425698 75.58.40.197.50268 > 216.146.80.168.443: F 514633678:514633678(0) ack 2473192065 win 253
4258: 15:52:03.426018 216.146.80.168.443 > 75.58.40.197.50268: . ack 514633679 win 66
4259: 15:52:03.428231 75.58.40.197.50268 > 216.146.80.168.443: R 514633679:514633679(0) ack 2473192065 win 0
4260: 15:52:03.430489 75.58.40.197.50269 > 216.146.80.168.443: S 3857636567:3857636567(0) win 8192 <mss 1452,nop,wscale 8,nop,nop,sackOK>
4261: 15:52:03.430946 216.146.80.168.443 > 75.58.40.197.50269: S 2610640691:2610640691(0) ack 3857636568 win 5840 <mss 1400,nop,nop,sackOK,nop,wscale 7>
4306: 15:52:03.491887 70.144.231.227.33727 > 216.146.80.168.80: . ack 1401262613 win 65535 <nop,nop,sack sack 2 {1401278013:1401279413}[|tcp]>
4307: 15:52:03.491917 75.58.40.197.50269 > 216.146.80.168.443: P 3857636678:3857636684(6) ack 2610640838 win 256
4308: 15:52:03.491933 75.58.40.197.50269 > 216.146.80.168.443: P 3857636684:3857636745(61) ack 2610640838 win 256
4309: 15:52:03.491948 216.146.80.163.18260 > 205.188.10.178.5190: P 2028587685:2028587691(6) ack 4022720556 win 33407
4310: 15:52:03.492207 216.146.80.163 > 216.21.44.2:  ip-proto-50, length 76
4311: 15:52:03.492390 216.146.80.168.80 > 70.144.231.227.33727: . 1401289213:1401290613(1400) ack 112679557 win 7504
4312: 15:52:03.492574 67.161.87.52.3289 > 216.146.80.168.443: P 3287073500:3287073610(110) ack 1829073855 win 16800
4313: 15:52:03.492604 70.144.231.227.33727 > 216.146.80.168.80: . ack 1401262613 win 65535 <nop,nop,sack sack 2 {1401276613:1401279413}[|tcp]>
4314: 15:52:03.492909 216.146.80.168.443 > 67.161.87.52.3289: . ack 3287073610 win 5840
4315: 15:52:03.493092 216.146.80.168.80 > 70.144.231.227.33727: . 1401290613:1401292013(1400) ack 112679557 win 7504
4316: 15:52:03.493169 216.146.80.168.443 > 67.161.87.52.3289: P 1829073855:1829074001(146) ack 3287073610 win 5840
4319: 15:52:03.499455 70.144.231.227.33727 > 216.146.80.168.80: . ack 1401262613 win 65535 <nop,nop,sack sack 2 {1401272413:1401276613}[|tcp]>
4320: 15:52:03.499531 75.58.40.197.50269 > 216.146.80.168.443: P 3857636745:3857637173(428) ack 2610640838 win 256
0
 
from_expCommented:
Dunno this time, I had very good book once.
try to check wireshark(ethereal) manual.
I can't see anything bad from the traffic log you have showed

btw, just check "netstat -in" to be sure you're not having any drops on the interface of your server


0
 
wilsjAuthor Commented:
I don't see any drops on nics of the server either. I now I posted for an ASA but would you happen to know how I would get a capture of the traffic coming into the router? For example on the ASA i can create an access-list and associate a capture to that is there something similar for a 2851 cisco router?
0
 
from_expCommented:
a bit different here. normally you configure so called monitoring port and monitored port on the switch or mirroring and mirrored ports
so you tell switch to mirror all traffic that appears on port A to port B
to port B you attach wireshark and you have all the traffic.
additionally you can specify filter to mirror only specific traffic.
0
 
wilsjAuthor Commented:
Ok, I don't know if this tells you anything but when I do a ping 216.146.80.168 -l 1400 -t i get reply after reply. But when I raise the packet size to 1475 and up all I get are timeouts. Could this be a potential problem?
0
 
from_expCommented:
yepp
for every network environment you have MTU (maximum transmission unit).
for example within ethernet MTU is 1500 bytes. if packet is bigger, than it will be fragmented.
when do ping with -l 1400 you set payload for the packet, than additional header of 28 bytes are applied and packet is sent to network with size 1428. when you set payload of 1475, than resulting packet size is 1503 - bigger than MTU. in this case your OS should fragment packet into two pieces and send both of them.
in your case it seem your pc is trying to sent 1503 bytes to network and the packet is blocked somewhere.
0
 
wilsjAuthor Commented:
ok i created a new capture for first TCP packet not syn. When I do a sh asp drop this seems to be the most dropped traffic and when I look at the capture about 98% are going to the specified host above. Shoud i be allowing this kind of traffic? Does this have anything to do with the traffic arriving out of order maybe?


  1: 09:37:58.596603 128.208.81.60.3146 > 216.146.80.168.443: R 1329208275:1329208275(0) win 0
   2: 09:37:59.132897 128.208.81.60.3147 > 216.146.80.168.443: R 3436283234:3436283234(0) win 0
   3: 09:37:59.698953 128.208.81.60.3148 > 216.146.80.168.443: R 3174027936:3174027936(0) win 0
   4: 09:37:59.814899 75.59.150.99.1443 > 216.21.41.166.8080: R 4217981376:4217981376(0) ack 2463618108 win 0
   5: 09:38:00.094904 70.21.10.33.50301 > 216.146.80.168.443: R 1990236951:1990236951(0) win 0
   6: 09:38:00.190602 128.208.81.60.3149 > 216.146.80.168.443: R 4182034188:4182034188(0) win 0
   7: 09:38:00.503163 192.168.1.85.4455 > 192.168.32.9.443: R 3655882302:3655882302(0) win 0
   8: 09:38:00.746985 128.208.81.60.3150 > 216.146.80.168.443: R 3578404078:3578404078(0) win 0
   9: 09:38:01.219730 128.208.81.60.3151 > 216.146.80.168.443: R 3869359599:3869359599(0) win 0
  10: 09:38:01.716637 128.208.81.60.3152 > 216.146.80.168.443: R 3496157955:3496157955(0) win 0
  11: 09:38:02.185949 128.208.81.60.3153 > 216.146.80.168.443: R 3180395453:3180395453(0) win 0
  12: 09:38:02.727638 128.208.81.60.3154 > 216.146.80.168.443: R 2022051507:2022051507(0) win 0
  13: 09:38:03.246645 128.208.81.60.3155 > 216.146.80.168.443: R 4270195937:4270195937(0) win 0
  14: 09:38:03.548189 216.15.159.50.62604 > 216.21.41.166.25: F 4036857121:4036857121(0) ack 4066860372 win 16469
  15: 09:38:04.095927 128.208.81.60.3156 > 216.146.80.168.443: R 2410403895:2410403895(0) win 0
  16: 09:38:04.643948 128.208.81.60.3157 > 216.146.80.168.443: R 4218078275:4218078275(0) win 0
  17: 09:38:04.981089 75.45.217.170.2068 > 216.146.80.168.443: R 3732781327:3732781327(0) ack 807752051 win 0
  18: 09:38:05.356304 128.208.81.60.3158 > 216.146.80.168.443: R 3434374728:3434374728(0) win 0
  19: 09:38:05.924878 128.208.81.60.3159 > 216.146.80.168.443: R 3414191270:3414191270(0) win 0
  20: 09:38:06.470602 128.208.81.60.3160 > 216.146.80.168.443: R 4086421856:4086421856(0) win 0
  21: 09:38:10.158317 67.137.2.3.1829 > 216.146.80.168.443: R 847526398:847526398(0) win 0
  22: 09:38:10.158362 67.137.2.3.1829 > 216.146.80.168.443: R 847526399:847526399(0) win 0
  23: 09:38:11.474310 67.137.2.3.1830 > 216.146.80.168.443: R 3525828719:3525828719(0) win 0
  24: 09:38:11.579086 192.168.32.9.443 > 72.69.133.251.50757: . ack 8957445 win 65
  25: 09:38:12.174795 216.86.188.235.50278 > 216.146.80.168.443: R 2292942922:2292942922(0) ack 2112806569 win 0
  26: 09:38:12.270234 216.86.188.235.50278 > 216.146.80.168.443: R 2292942922:2292942922(0) win 0
  27: 09:38:12.925626 67.137.2.3.1831 > 216.146.80.168.443: R 1369870491:1369870491(0) win 0
  28: 09:38:13.474172 67.137.2.3.1832 > 216.146.80.168.443: R 2394410424:2394410424(0) win 0
  29: 09:38:14.584671 67.137.2.3.1833 > 216.146.80.168.443: R 906319091:906319091(0) win 0
  30: 09:38:15.136314 67.137.2.3.1834 > 216.146.80.168.443: R 2554919140:2554919140(0) win 0
  31: 09:38:15.604109 67.137.2.3.1835 > 216.146.80.168.443: R 1519278733:1519278733(0) win 0
  32: 09:38:16.048764 67.137.2.3.1836 > 216.146.80.168.443: R 1488504995:1488504995(0) win 0
  33: 09:38:16.472723 67.137.2.3.1837 > 216.146.80.168.443: R 724252455:724252455(0) win 0
  34: 09:38:16.901915 67.137.2.3.1838 > 216.146.80.168.443: R 687272924:687272924(0) win 0
  35: 09:38:17.323378 67.137.2.3.1839 > 216.146.80.168.443: R 3842487420:3842487420(0) win 0
  36: 09:38:17.735069 67.137.2.3.1840 > 216.146.80.168.443: R 4186093823:4186093823(0) win 0
  37: 09:38:18.108118 67.137.2.3.1841 > 216.146.80.168.443: R 3955718652:3955718652(0) win 0
  38: 09:38:18.570801 67.137.2.3.1842 > 216.146.80.168.443: R 2349903884:2349903884(0) win 0
  39: 09:38:19.000259 67.137.2.3.1843 > 216.146.80.168.443: R 4208857933:4208857933(0) win 0
  40: 09:38:19.496022 67.137.2.3.1844 > 216.146.80.168.443: R 3259569670:3259569670(0) win 0
  41: 09:38:19.531314 216.15.159.50.62604 > 216.21.41.166.25: F 4036857121:4036857121(0) ack 4066860372 win 16469
  42: 09:38:19.916517 67.137.2.3.1845 > 216.146.80.168.443: R 3178957911:3178957911(0) win 0
  43: 09:38:20.345761 67.137.2.3.1846 > 216.146.80.168.443: R 2024489868:2024489868(0) win 0
  44: 09:38:20.759131 67.137.2.3.1847 > 216.146.80.168.443: R 2545233001:2545233001(0) win 0
  45: 09:38:21.320295 192.168.1.85.4457 > 192.168.32.9.443: R 754477034:754477034(0) win 0
  46: 09:38:21.380122 192.168.1.85.4458 > 192.168.32.9.443: R 4264280859:4264280859(0) win 0
  47: 09:38:25.258165 67.137.2.3.1848 > 216.146.80.168.443: R 3563880602:3563880602(0) win 0
  48: 09:38:27.906294 67.137.2.3.1849 > 216.146.80.168.443: R 860375051:860375051(0) win 0
  49: 09:38:29.809848 71.217.60.134.1757 > 216.21.41.166.8080: R 1862512940:1862512940(0) win 0
  50: 09:38:29.823916 71.217.60.134.1677 > 216.21.41.166.8080: R 4157317584:4157317584(0) win 0
  51: 09:38:29.833437 71.217.60.134.1756 > 216.21.41.166.8080: R 1692515993:1692515993(0) win 0
  52: 09:38:29.840959 71.217.60.134.1756 > 216.21.41.166.8080: R 1692515993:1692515993(0) win 0
  53: 09:38:30.559648 76.211.236.161.60659 > 216.146.80.168.443: R 2741387118:2741387118(0) win 0
  54: 09:38:30.896895 72.69.133.251.50760 > 216.146.80.168.443: R 2197300486:2197300486(0) ack 901691426 win 0
  55: 09:38:31.116861 72.69.133.251.50761 > 216.146.80.168.443: R 1157828075:1157828075(0) ack 1703811960 win 0
  56: 09:38:32.570649 12.191.191.8.33746 > 216.146.80.168.80: . ack 2112178653 win 65535
  57: 09:38:32.570801 12.191.191.8.33746 > 216.146.80.168.80: . ack 2112178653 win 65535
  58: 09:38:39.401697 71.217.227.199.3647 > 216.146.80.168.443: R 986571586:986571586(0) win 0
  59: 09:38:40.554353 68.165.188.82.50505 > 216.146.80.168.443: R 341434172:341434172(0) ack 1299715543 win 0
  60: 09:38:40.592880 68.165.188.82.50505 > 216.146.80.168.443: R 341434172:341434172(0) win 0
  61: 09:38:44.519458 12.205.207.8.2141 > 216.146.80.168.443: R 1619872954:1619872954(0) win 0
  62: 09:38:44.829180 12.205.207.8.2142 > 216.146.80.168.443: R 2483751133:2483751133(0) win 0
  63: 09:38:45.552248 12.205.207.8.2143 > 216.146.80.168.443: R 2752719645:2752719645(0) win 0
  64: 09:38:45.882751 12.205.207.8.2144 > 216.146.80.168.443: R 1580195651:1580195651(0) win 0
  65: 09:38:46.086222 12.205.207.8.2145 > 216.146.80.168.443: R 3829514314:3829514314(0) win 0
  66: 09:38:46.370311 12.205.207.8.2146 > 216.146.80.168.443: R 2292248548:2292248548(0) win 0
  67: 09:38:46.578659 12.205.207.8.2147 > 216.146.80.168.443: R 1085435740:1085435740(0) win 0
  68: 09:38:46.766210 12.205.207.8.2148 > 216.146.80.168.443: R 2130639099:2130639099(0) win 0
  69: 09:38:47.014312 12.205.207.8.2149 > 216.146.80.168.443: R 460403657:460403657(0) win 0
  70: 09:38:47.251634 12.205.207.8.2150 > 216.146.80.168.443: R 3880362357:3880362357(0) win 0
  71: 09:38:47.439521 12.205.207.8.2151 > 216.146.80.168.443: R 2114706798:2114706798(0) win 0
  72: 09:38:47.654202 12.205.207.8.2152 > 216.146.80.168.443: R 4145308270:4145308270(0) win 0
  73: 09:38:47.870453 12.205.207.8.2153 > 216.146.80.168.443: R 2585192714:2585192714(0) win 0
  74: 09:38:48.180441 12.205.207.8.2154 > 216.146.80.168.443: R 387059254:387059254(0) win 0
  75: 09:38:48.384211 12.205.207.8.2155 > 216.146.80.168.443: R 3632690203:3632690203(0) win 0
  76: 09:38:51.482900 216.15.159.50.62604 > 216.21.41.166.25: F 4036857121:4036857121(0) ack 4066860372 win 16469
  77: 09:38:52.776174 192.168.32.9.443 > 69.127.10.204.52517: . ack 2107586394 win 73
  78: 09:38:53.153007 75.2.10.207.1750 > 216.21.41.166.8080: R 235419526:235419526(0) ack 4133100621 win 0
  79: 09:38:56.427071 71.217.227.199.3647 > 216.146.80.168.443: R 986571586:986571586(0) ack 1808835570 win 0
  80: 09:39:00.513096 70.21.10.33.50302 > 216.146.80.168.443: R 3116868761:3116868761(0) win 0
  81: 09:39:01.266297 192.168.1.114.1847 > 202.173.25.200.443: . ack 877169718 win 0
  82: 09:39:02.468252 192.168.1.108.1227 > 63.245.213.32.443: R 1439709601:1439709601(0) win 0
  83: 09:39:02.563157 67.46.138.185.17593 > 216.21.41.166.995: R 3282617675:3282617675(0) ack 2827275061 win 16000
  84: 09:39:02.864747 69.246.215.188.3506 > 216.146.80.168.443: R 1708735607:1708735607(0) win 0
  85: 09:39:02.864808 69.246.215.188.3506 > 216.146.80.168.443: R 1708735583:1708735583(0) win 0
  86: 09:39:03.703576 192.168.1.114.1848 > 202.173.25.200.443: . ack 603018104 win 0
  87: 09:39:05.490117 68.167.191.128.25051 > 216.21.41.166.80: . ack 3942770484 win 64512
  88: 09:39:05.584244 68.167.191.128.25051 > 216.21.41.166.80: . ack 3942770484 win 64512
  89: 09:39:05.888397 74.135.252.40.2205 > 216.146.80.168.443: R 2566918656:2566918656(0) win 0
  90: 09:39:05.888503 74.135.252.40.2205 > 216.146.80.168.443: R 2566918680:2566918680(0) win 0
  91: 09:39:06.133675 192.168.1.114.1849 > 202.173.25.200.443: . ack 1163974725 win 0
  92: 09:39:06.529177 74.135.252.40.2206 > 216.146.80.168.443: R 2742466841:2742466841(0) win 0
  93: 09:39:07.935452 67.137.2.3.1850 > 216.146.80.168.443: R 2883325510:2883325510(0) win 0
  94: 09:39:07.938519 67.137.2.3.1850 > 216.146.80.168.443: R 2883325511:2883325511(0) win 0
  95: 09:39:08.043347 192.168.9.2.139 > 172.16.1.7.1864: S 2219695796:2219695796(0) ack 1135143469 win 65535 <mss 1460,nop,nop,sackOK>
  96: 09:39:11.258378 192.168.9.2.139 > 172.16.1.7.1864: S 2220484156:2220484156(0) ack 1135143469 win 65535 <mss 1460,nop,nop,sackOK>
  97: 09:39:11.266145 69.214.13.243.1567 > 216.21.41.166.80: R 1503803842:1503803842(0) ack 437442379 win 0
  98: 09:39:12.536837 216.86.188.235.50281 > 216.146.80.168.443: R 3957800035:3957800035(0) ack 2516851838 win 0
  99: 09:39:12.617109 216.86.188.235.50281 > 216.146.80.168.443: R 3957800034:3957800034(0) win 0
 100: 09:39:12.619688 216.86.188.235.50281 > 216.146.80.168.443: R 3957800035:3957800035(0) win 0
 101: 09:39:12.658901 68.100.116.65.1315 > 216.146.80.168.443: R 279822917:279822917(0) win 0
 102: 09:39:15.394129 88.226.226.42.49629 > 216.21.41.166.25: R 904198567:904198567(0) ack 3114427033 win 24000
 103: 09:39:18.187047 98.17.60.111.61530 > 216.146.80.168.443: R 3150177098:3150177098(0) ack 1002619057 win 0
 104: 09:39:18.222354 98.17.60.111.61530 > 216.146.80.168.443: R 3150177098:3150177098(0) win 0
 105: 09:39:19.669307 66.84.192.148.1356 > 216.21.41.166.8080: . ack 3972611002 win 65535
 106: 09:39:25.074809 192.168.11.66.139 > 172.16.1.7.1867: S 2847876568:2847876568(0) ack 1905013772 win 5840 <mss 1460,nop,nop,sackOK>
 107: 09:39:25.930829 74.135.252.40.2209 > 216.146.80.168.443: R 1669995117:1669995117(0) win 0
 108: 09:39:25.934476 74.135.252.40.2209 > 216.146.80.168.443: R 1669995141:1669995141(0) win 0
 109: 09:39:26.109170 74.135.252.40.2210 > 216.146.80.168.443: R 4201762158:4201762158(0) win 0
 110: 09:39:26.168661 216.86.188.235.50283 > 216.146.80.168.443: R 3372020103:3372020103(0) ack 2485184734 win 0
 111: 09:39:26.251558 216.86.188.235.50283 > 216.146.80.168.443: R 3372020103:3372020103(0) win 0
 112: 09:39:26.545412 192.168.32.9.443 > 216.86.188.235.50284: . ack 800001937 win 77
 113: 09:39:30.274842 76.211.236.161.60663 > 216.146.80.168.443: R 449589406:449589406(0) win 0
 114: 09:39:31.957714 192.168.32.9.443 > 72.170.88.73.13799: . ack 2677729529 win 7872
 115: 09:39:32.154182 72.170.88.73.13799 > 216.146.80.168.443: R 3951362727:3951362727(0) win 0
 116: 09:39:32.154243 72.170.88.73.13799 > 216.146.80.168.443: R 3951362728:3951362728(0) win 0
 117: 09:39:41.727074 216.86.188.235.50285 > 216.146.80.168.443: R 3970542377:3970542377(0) ack 2741432436 win 0
 118: 09:39:41.789311 216.86.188.235.50285 > 216.146.80.168.443: R 3970542353:3970542353(0) win 0
 119: 09:39:41.812366 216.86.188.235.50285 > 216.146.80.168.443: R 3970542376:3970542376(0) win 0
 120: 09:39:41.814700 216.86.188.235.50285 > 216.146.80.168.443: R 3970542377:3970542377(0) win 0
 121: 09:39:45.889190 66.109.157.108.3093 > 216.146.80.168.443: R 2182397099:2182397099(0) win 0
 122: 09:39:45.889251 66.109.157.108.3093 > 216.146.80.168.443: R 2182397123:2182397123(0) win 0
 123: 09:39:47.579941 68.196.217.103.2946 > 216.146.80.168.443: R 1038675694:1038675694(0) win 0
 124: 09:39:53.242495 192.168.32.9.443 > 69.127.10.204.52518: . ack 1196786678 win 65
 125: 09:39:54.476843 192.168.1.85.4460 > 192.168.32.9.443: R 1723982673:1723982673(0) win 0
 126: 09:39:54.476888 192.168.1.85.4460 > 192.168.32.9.443: R 1723982674:1723982674(0) win 0
 127: 09:39:55.636289 192.168.1.85.4461 > 192.168.32.9.443: R 1642188085:1642188085(0) win 0
 128: 09:39:57.760916 192.168.32.9.443 > 69.146.204.143.49914: . ack 1506323643 win 65
 129: 09:39:58.099726 192.168.3.65.39253 > 69.20.104.197.80: R 3811859075:3811859075(0) win 0
 130: 09:40:00.120172 192.168.1.85.4462 > 192.168.32.9.443: R 1817508311:1817508311(0) win 0
 131: 09:40:00.758032 68.196.217.103.2948 > 216.146.80.168.443: R 3533754946:3533754946(0) win 0
 132: 09:40:00.992075 68.196.217.103.2949 > 216.146.80.168.443: R 3121528541:3121528541(0) win 0
 133: 09:40:05.119027 75.45.217.170.2069 > 216.146.80.168.443: R 2011103626:2011103626(0) ack 2423109281 win 0
 134: 09:40:05.232806 70.57.145.128.14810 > 216.146.80.168.80: . ack 1457979559 win 16486
 135: 09:40:05.469061 70.57.145.128.14822 > 216.146.80.168.80: . ack 1846172058 win 16486
135 packets shown
0
 
wilsjAuthor Commented:
As you can see above this is also happening inside as well. host 192.168.1.85 > 192.168.32.9
0
 
from_expCommented:
Wilsj what do you mean "this is also happening inside as well. host 192.168.1.85 > 192.168.32.9"

what I can see from your capture - a lot of rst packets. Without having full picture, i can allow two things here:
one client are terminating connections in such a rude way or your server is bombing client with some data and clients just saying "get off me"

0
 
wilsjAuthor Commented:
Oh, I just meant it is the same host 32.9 is the dmz addres for the 216.146.80.168 public.
0
 
from_expCommented:
ok, i got you!
But anyway I can't see any bad things happening here
0
 
wilsjAuthor Commented:
Ok, thanks for all your help. I would give you a 1000 points if I could. Always appreciated.
0
 
from_expCommented:
Thanks!
Good luck!
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 10
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now