We help IT Professionals succeed at work.

Troubleshooting dropped connection

Hi

I have an application, App1, running on a Windows 2003 SP2 Server, Server1.

App1 connects to a third party vendor server on the Internet, Vendor1.

App1 is configured to connect to the internet via one of our proxy servers, Proxy1 on port 3000.

For some reason, we are getting errors on the application. I checked the logs of the app, and it appears that the connection to Vendor1 keeps dropping and then reconnecting a few minutes later. Sometimes the drop lasts more than 5 minutes, hence the errors.

I've checked the Application and System logs on Server1, they don't show much.

Any ideas on how to troubleshoot this? I was thinking Wireshark or something but not entirely sure what I should be looking for?
Comment
Watch Question

Top Expert 2010
Commented:
Yes, that would be the first thing to do is utilize wireshark and capture the data; we can assist with analyzing if you do not know what to look for; however a few questions might help isolate the issue:

>Sometimes the drop lasts more than 5 minutes, hence the errors.
When the connection drops how is the overall connection of the server elsewhere on your network and to the Internet? Are you using a VPN between you network and the remote site (the vendor)?
To be clear, when you say the connection drops, the application is terminating the TCP connection (Assuming you are using TCP); please advise

Billy

Author

Commented:
Thanks Billy!

Server1 has IP address 192.168.1.1.

My workstation has IP 192.168.10.1

Is it possible for me to run Wireshark on my workstation to capture the data? Or does Wireshark really need to be run on the server itself?
Top Expert 2010

Commented:
If you have a switch that has the capability to SPAN the port that your workstation is on, then yes you can leave wireshark on your workstation, or if your workstation and server are on 2 separate switches, then the switches would need to have the capability of a Remote SPAN (RSPAN); basically a SPAN is a switchport analyzer and you are mirroring the port that the server is connected to so that any traffic ingress and egress is sent to the port that your workstation would be on; if you do not have a switch that is capable of being mirrored (SPAN) then your only option is to install wireshark on the server.

What type of switch is the server and your workstation connected to?

Billy

Author

Commented:
Hi

I'm not sure what type of switches they are, I would need to check with the network people. But my workstation is in London and Server1 is in Manchester, so they are on different switches.

So with SPAN, are you saying that any traffic to/from the server would also be sent to the port my workstatoin was on, so that I could use Wireshark to analyse it?

And RSPAN is effectively the same thing, but if allows the ability to send a copy of that server switchport traffic to another switch (i.e the one that my workstatoin is on), so that wireshark installed locally on my PC could pick it up?

Just three other questions on this if that's ok?

i. Would this not cause a lot of traffic for my workstation switchport?

ii. If we did have RSPAN working, is there any special config change I need to make to Wireshark installed on my machine to pick up the server's traffic rather than my own?

iii. Because the problem is intermittent, we'd need to have this running over the course of a day or two. Would this be recommended with RSPAN because you are sending a lot of traffic over our Manchester-London WAN link? Or is the data sent not really a copy of the entire traffic but a subset to make it easier to analyse?

Thanks again for your help, really appreciate it.
Top Expert 2010

Commented:
Yeah, in your case that would not work unfortunately; you need to have a workstation that is local to the server and SPAN a port; Honestly, your best bet is to install wireshark on the server and then review the data;

To answer the questions:

1. Typically yes
2. The port does not transmit any traffic except that traffic required for the SPAN session unless learning is enabled. Just easier to find an old laptop and use it to capture data
3. the data it an exact copy, so no, I would not send the data across the WAN.


Billy