Solved

Router blocking new TCP connections when FIN not received

Posted on 2009-04-02
8
318 Views
Last Modified: 2012-06-21
We have been doing some testing recently on a problem that we have been having with an IP camera.

The camera sits behind an ADSL router and communicates with one of our servers over HTTP. We have noticed that, on some routers only, if you power down the camera after it has been running for a while and then power it back up again it doesn't make a connection to the server for 15-20 minutes.

After tracing the traffic through Wireshark the problem seems to be that when the camera is powered down it isn't able to send a FIN. When the camera comes back up and sends a SYN to the server, the router seems to think that there is a connection still open on the source port that the camera is using and it doesn't forward the SYN packet. If we change the camera to use a different source port it then works straight away.

My question is, is there something about the way that the camera is operating that is allowing this situation to happen ? If, for example, I was browsing a site on the internet and I temporarily lost my internet connection, I don't then find that I can't get back to the same site when my connection comes back.

Can anyone help to clarify this for me ?

TIA.
0
Comment
Question by:ccfcfc
  • 4
  • 4
8 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24051775
Is the device using the same source port for both connections?


0
 

Author Comment

by:ccfcfc
ID: 24055103
Yes, following the power down/up the camera uses the same source port to communicate with our server.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24056021
If the router supports it, you can lower the idle timeout for established connections.
0
 

Author Comment

by:ccfcfc
ID: 24057579
I can't make changes to the router, as this happens on several routers and could affect a large number of people. I need to focus on the behaviour of the camera.

Would you expect the camera to always use the same source port for the connection to my server rather than using a dynamic port or, if the camera always uses the same port, would it be better to have it send a RST to my server when it starts up to ensure that it always closes down any connection on the router that may have been left open ?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 28

Assisted Solution

by:asavener
asavener earned 250 total points
ID: 24059280
Generally, the source port is dynamic, somewhere in the 1024-65535 range.
0
 

Accepted Solution

by:
ccfcfc earned 0 total points
ID: 24059306
That's what I would expect - that the camera uses a dynamic source port and that therefore following a hard reboot this isn't an issue.

How does a browser behave, for example ? If I am browsing a website and then just turn off my PC, when I turn it back on again and browse to the same website I don't have this issue, and I assume that's because a browser uses a dynamic source port - am I correct in assuming that ?
0
 
LVL 28

Expert Comment

by:asavener
ID: 24059340
Generally, yes.

A browser also opens multiple TCP sessions (I think IE defaults to 3 per page), and has a built-in timeout for downloading objects.  So it might not be as obvious as a device that simply tries to open a single session.

IMO, the camera is the bigger part of the problem.  It should either a) randomly choose a source port or b) keep retrying using a different source port each time.  Option b) is usually what I see when I'm troubleshooting some connection.
0
 

Author Comment

by:ccfcfc
ID: 24060590
That's my opinion too. I think that the camera behaviour needs to be modified to avoid this scenario.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
server can't ping default gateway 25 89
Strange addresses from DHCP 8 70
VLAN Tag for chained network device. 11 55
Cisco ACS TACACS 2 38
Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now