[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

TCP reset flag present when trying to browse internet from any PC at location

Posted on 2008-01-31
5
Medium Priority
?
12,534 Views
Last Modified: 2013-12-14
Hello All,

      I am experiencing a strange issue at a customers site. Last night they had a power outage. This morning they reported that they could not browse the internet from any PC at their location. The customer has a DSL connection connected to a PIX 506E connected to a layer three switch. I am receiving a TCP reset flag sent from the web server of the site I am trying to browse. I can ping ip addresses and preform nslookup but I can not browse the internet. I have tried telneting to a webserver on port 80 but I receive nothing. My http web capture is below. Any suggestions why this is happening. I am currently waiting for the DSL company to call me back.

HTTP web capture:


No.     Time        Source                Destination           Protocol Info
      1 0.000000    172.21.173.207        72.14.253.104         TCP      fjmpss > http [SYN] Seq=0 Win=65535 Len=0 MSS=1260

Frame 1 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f), Dst: Cisco_d4:10:80 (00:13:1a:d4:10:80)
Internet Protocol, Src: 172.21.173.207 (172.21.173.207), Dst: 72.14.253.104 (72.14.253.104)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0xd74b (55115)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x8420 [correct]
    Source: 172.21.173.207 (172.21.173.207)
    Destination: 72.14.253.104 (72.14.253.104)
Transmission Control Protocol, Src Port: fjmpss (2509), Dst Port: http (80), Seq: 0, Len: 0
    Source port: fjmpss (2509)
    Destination port: http (80)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
    Window size: 65535
    Checksum: 0x7c77 [correct]
    Options: (8 bytes)

No.     Time        Source                Destination           Protocol Info
      2 0.049646    72.14.253.104         172.21.173.207        TCP      http > fjmpss [SYN, ACK] Seq=0 Ack=1 Win=5720 Len=0 MSS=1380

Frame 2 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Cisco_d4:10:80 (00:13:1a:d4:10:80), Dst: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f)
Internet Protocol, Src: 72.14.253.104 (72.14.253.104), Dst: 172.21.173.207 (172.21.173.207)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0xa943 (43331)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 48
    Protocol: TCP (0x06)
    Header checksum: 0x4229 [correct]
    Source: 72.14.253.104 (72.14.253.104)
    Destination: 172.21.173.207 (172.21.173.207)
Transmission Control Protocol, Src Port: http (80), Dst Port: fjmpss (2509), Seq: 0, Ack: 1, Len: 0
    Source port: http (80)
    Destination port: fjmpss (2509)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 28 bytes
    Flags: 0x12 (SYN, ACK)
    Window size: 5720
    Checksum: 0x2d89 [correct]
    Options: (8 bytes)
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
      3 0.049715    172.21.173.207        72.14.253.104         TCP      fjmpss > http [ACK] Seq=1 Ack=1 Win=65535 Len=0

Frame 3 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f), Dst: Cisco_d4:10:80 (00:13:1a:d4:10:80)
Internet Protocol, Src: 172.21.173.207 (172.21.173.207), Dst: 72.14.253.104 (72.14.253.104)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0xd74c (55116)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x8427 [correct]
    Source: 172.21.173.207 (172.21.173.207)
    Destination: 72.14.253.104 (72.14.253.104)
Transmission Control Protocol, Src Port: fjmpss (2509), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
    Source port: fjmpss (2509)
    Destination port: http (80)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
    Window size: 65535
    Checksum: 0x7055 [correct]
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
      4 0.052137    172.21.173.207        72.14.253.104         HTTP     GET / HTTP/1.1

Frame 4 (753 bytes on wire, 753 bytes captured)
Ethernet II, Src: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f), Dst: Cisco_d4:10:80 (00:13:1a:d4:10:80)
Internet Protocol, Src: 172.21.173.207 (172.21.173.207), Dst: 72.14.253.104 (72.14.253.104)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 739
    Identification: 0xd74d (55117)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x816b [correct]
    Source: 172.21.173.207 (172.21.173.207)
    Destination: 72.14.253.104 (72.14.253.104)
Transmission Control Protocol, Src Port: fjmpss (2509), Dst Port: http (80), Seq: 1, Ack: 1, Len: 699
    Source port: fjmpss (2509)
    Destination port: http (80)
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 700    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
    Window size: 65535
    Checksum: 0xa9b5 [correct]
Hypertext Transfer Protocol

No.     Time        Source                Destination           Protocol Info
      5 2.980882    172.21.173.207        72.14.253.104         HTTP     [TCP Retransmission] GET / HTTP/1.1

Frame 5 (753 bytes on wire, 753 bytes captured)
Ethernet II, Src: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f), Dst: Cisco_d4:10:80 (00:13:1a:d4:10:80)
Internet Protocol, Src: 172.21.173.207 (172.21.173.207), Dst: 72.14.253.104 (72.14.253.104)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 739
    Identification: 0xd766 (55142)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x8152 [correct]
    Source: 172.21.173.207 (172.21.173.207)
    Destination: 72.14.253.104 (72.14.253.104)
Transmission Control Protocol, Src Port: fjmpss (2509), Dst Port: http (80), Seq: 1, Ack: 1, Len: 699
    Source port: fjmpss (2509)
    Destination port: http (80)
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 700    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
    Window size: 65535
    Checksum: 0xa9b5 [correct]
    [SEQ/ACK analysis]
Hypertext Transfer Protocol

No.     Time        Source                Destination           Protocol Info
      6 8.989518    172.21.173.207        72.14.253.104         HTTP     [TCP Retransmission] GET / HTTP/1.1

Frame 6 (753 bytes on wire, 753 bytes captured)
Ethernet II, Src: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f), Dst: Cisco_d4:10:80 (00:13:1a:d4:10:80)
Internet Protocol, Src: 172.21.173.207 (172.21.173.207), Dst: 72.14.253.104 (72.14.253.104)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 739
    Identification: 0xd798 (55192)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x8120 [correct]
    Source: 172.21.173.207 (172.21.173.207)
    Destination: 72.14.253.104 (72.14.253.104)
Transmission Control Protocol, Src Port: fjmpss (2509), Dst Port: http (80), Seq: 1, Ack: 1, Len: 699
    Source port: fjmpss (2509)
    Destination port: http (80)
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 700    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
    Window size: 65535
    Checksum: 0xa9b5 [correct]
    [SEQ/ACK analysis]
Hypertext Transfer Protocol

No.     Time        Source                Destination           Protocol Info
      7 10.098576   72.14.253.104         172.21.173.207        TCP      http > fjmpss [FIN, ACK] Seq=1 Ack=1 Win=5720 Len=0

Frame 7 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Cisco_d4:10:80 (00:13:1a:d4:10:80), Dst: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f)
Internet Protocol, Src: 72.14.253.104 (72.14.253.104), Dst: 172.21.173.207 (172.21.173.207)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0xa944 (43332)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 48
    Protocol: TCP (0x06)
    Header checksum: 0x4230 [correct]
    Source: 72.14.253.104 (72.14.253.104)
    Destination: 172.21.173.207 (172.21.173.207)
Transmission Control Protocol, Src Port: http (80), Dst Port: fjmpss (2509), Seq: 1, Ack: 1, Len: 0
    Source port: http (80)
    Destination port: fjmpss (2509)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x11 (FIN, ACK)
    Window size: 5720
    Checksum: 0x59fc [correct]

No.     Time        Source                Destination           Protocol Info
      8 10.098657   172.21.173.207        72.14.253.104         TCP      fjmpss > http [ACK] Seq=700 Ack=2 Win=65535 Len=0

Frame 8 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f), Dst: Cisco_d4:10:80 (00:13:1a:d4:10:80)
Internet Protocol, Src: 172.21.173.207 (172.21.173.207), Dst: 72.14.253.104 (72.14.253.104)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0xd7a1 (55201)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x83d2 [correct]
    Source: 172.21.173.207 (172.21.173.207)
    Destination: 72.14.253.104 (72.14.253.104)
Transmission Control Protocol, Src Port: fjmpss (2509), Dst Port: http (80), Seq: 700, Ack: 2, Len: 0
    Source port: fjmpss (2509)
    Destination port: http (80)
    Sequence number: 700    (relative sequence number)
    Acknowledgement number: 2    (relative ack number)
    Header length: 20 bytes
    Flags: 0x10 (ACK)
    Window size: 65535
    Checksum: 0x6d99 [correct]
    [SEQ/ACK analysis]

No.     Time        Source                Destination           Protocol Info
      9 10.099079   172.21.173.207        72.14.253.104         TCP      fjmpss > http [FIN, ACK] Seq=700 Ack=2 Win=65535 Len=0

Frame 9 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f), Dst: Cisco_d4:10:80 (00:13:1a:d4:10:80)
Internet Protocol, Src: 172.21.173.207 (172.21.173.207), Dst: 72.14.253.104 (72.14.253.104)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0xd7a6 (55206)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x83cd [correct]
    Source: 172.21.173.207 (172.21.173.207)
    Destination: 72.14.253.104 (72.14.253.104)
Transmission Control Protocol, Src Port: fjmpss (2509), Dst Port: http (80), Seq: 700, Ack: 2, Len: 0
    Source port: fjmpss (2509)
    Destination port: http (80)
    Sequence number: 700    (relative sequence number)
    Acknowledgement number: 2    (relative ack number)
    Header length: 20 bytes
    Flags: 0x11 (FIN, ACK)
    Window size: 65535
    Checksum: 0x6d98 [correct]

No.     Time        Source                Destination           Protocol Info
     10 10.149640   72.14.253.104         172.21.173.207        TCP      http > fjmpss [RST] Seq=2 Win=0 Len=0

Frame 10 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Cisco_d4:10:80 (00:13:1a:d4:10:80), Dst: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f)
Internet Protocol, Src: 72.14.253.104 (72.14.253.104), Dst: 172.21.173.207 (172.21.173.207)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0xa946 (43334)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 48
    Protocol: TCP (0x06)
    Header checksum: 0x422e [correct]
    Source: 72.14.253.104 (72.14.253.104)
    Destination: 172.21.173.207 (172.21.173.207)
Transmission Control Protocol, Src Port: http (80), Dst Port: fjmpss (2509), Seq: 2, Len: 0
    Source port: http (80)
    Destination port: fjmpss (2509)
    Sequence number: 2    (relative sequence number)
    Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set
    Header length: 20 bytes
    Flags: 0x04 (RST)
    Window size: 0
    Checksum: 0xf62a [correct]

No.     Time        Source                Destination           Protocol Info
     11 24.411687   172.21.173.207        72.14.253.147         HTTP     GET /firefox?client=firefox-a&rls=org.mozilla:en-US:official HTTP/1.1

Frame 11 (677 bytes on wire, 677 bytes captured)
Ethernet II, Src: DellPcba_b2:2e:3f (00:0d:56:b2:2e:3f), Dst: Cisco_d4:10:80 (00:13:1a:d4:10:80)
Internet Protocol, Src: 172.21.173.207 (172.21.173.207), Dst: 72.14.253.147 (72.14.253.147)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 663
    Identification: 0xd821 (55329)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x80b8 [correct]
    Source: 172.21.173.207 (172.21.173.207)
    Destination: 72.14.253.147 (72.14.253.147)
Transmission Control Protocol, Src Port: jbroker (2506), Dst Port: http (80), Seq: 1, Ack: 1, Len: 623
    Source port: jbroker (2506)
    Destination port: http (80)
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 624    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x19 (FIN, PSH, ACK)
    Window size: 65535
    Checksum: 0x857b [correct]
Hypertext Transfer Protocol
0
Comment
Question by:greenbeanx81
5 Comments
 
LVL 22

Accepted Solution

by:
Brian Utterback earned 2000 total points
ID: 20796288
It looks to me like the packets with a TCP data length greater than 0 are being dropped. The web server is waiting
for the request but never sees it. After 10 seconds, it times out and closes the connection. The reset is just because
by the time the FIN,ACK is sent from the client, the web server has forgotten about the client and responds with a
reset, which just means that a packet arrived for a connection it does not currently have.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 20800141
How about posting the pix config here?

Cheers,
Rajesh
0
 

Author Closing Comment

by:greenbeanx81
ID: 31426842
Thank you. WE actually traced the problem to Websense somehow causing this issue. After disabling it on the PIX is fine.
0
 
LVL 2

Expert Comment

by:myron-szy
ID: 24633295
What was the fix?
0
 

Expert Comment

by:DD-Operations
ID: 34100583
Please provide the fix... :)
0

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

611 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question