Optimation-Keith
asked on
TCP flooding when switching from a wireless to a wired connection
I've been having this problem for over a month now. Periodically I see 10 to 15 times the normal traffic on our switch/router out to the Internet. This high traffic consists of numerous tcp reset packets between the content security filter/firewall and the default router. After a number of sniffing sessions and troubleshooting I've figured out how to duplicate the problem and have an idea what's triggering the issue but I'm at a loss on how to resolve it.
We have a wireless router that bypasses the firewall and allows visiting vendors to access to the Internet. Employees, however, sometimes use this when working with vendors. Anyway, what happens is if you're plugged into the wired network behind the firewall, connect to the wireless network, unplug the wired connection then reconnect the wired connection you sometime get the high TCP reset traffic. While sniffing I've seen TCP packets tagged as "Continuation Data" with a source IP address of the wireless card, a destination IP of some registered IP on the Internet (usually some akamai deployment server) followed immediately by the TCP resets. Subsequent packets alternate these source and destination IP addresses and the traffic seems to go between the default router and the internal interface of our content security filter which is in-line with the firewall. The only way to stop the traffic is to pull the plug or disable the port at the managed switch.
Does the fact that I'm seeing packets tagged with wireless IP addresses on the wired network make sense to anyone? That definitely seems like the trigger. I wouldn’t expect to see that traffic on the wire.
Any thoughts?
We have a wireless router that bypasses the firewall and allows visiting vendors to access to the Internet. Employees, however, sometimes use this when working with vendors. Anyway, what happens is if you're plugged into the wired network behind the firewall, connect to the wireless network, unplug the wired connection then reconnect the wired connection you sometime get the high TCP reset traffic. While sniffing I've seen TCP packets tagged as "Continuation Data" with a source IP address of the wireless card, a destination IP of some registered IP on the Internet (usually some akamai deployment server) followed immediately by the TCP resets. Subsequent packets alternate these source and destination IP addresses and the traffic seems to go between the default router and the internal interface of our content security filter which is in-line with the firewall. The only way to stop the traffic is to pull the plug or disable the port at the managed switch.
Does the fact that I'm seeing packets tagged with wireless IP addresses on the wired network make sense to anyone? That definitely seems like the trigger. I wouldn’t expect to see that traffic on the wire.
Any thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I worked with SafeNet to resolve the problem
ASKER
Correction. We have found that there were no changes to the eSafe software therefore we're concluding that something may have changed at the OS level. I've been testing with Windows XP and I'm going to pursue this issue with Microsoft.
It is safe to discard such packets ASAP.