As captioned in subject, would like to get some clarity on the tcp-rst-from-client and tcp-rst-from-server session end reasons on monitor traffic.
Even with successful communication between User's source IP and Dst IP, we are seeing tcp-rst-from-client , which is raising some queries for me personally. Are both these reasons are normal , If not, then how to distinguish whether this reason is due to some communication problem.
Googled this also, but probably i am not able to reach the most relevant available information article. Thought better to take advise here on community.
@Jimmy20, Normally these are the session end reasons. Now depending on the type like TCP-RST-FROM-CLIENT or TCP-RST-FROM-SERVER, it tells you who is sending TCP reset and session gets terminated. It does not mean that firewall is blocking the traffic. It means session got created between client-to-server but it got terminated from any of the end (client or server) and depending on who sent the TCP reset, you will see session end result under traffic logs. And once the session is terminated, it is getting reestablish with new traffic request and thats why not seeing as such problems with the traffic flow.
If you want to know more about it, you can take packet capture on the firewall.
Thanks for reply, What you replied is known to me. But i was searching for - '"Can we consider communication between source and dest if session end reason is TCP-RST-FROM-CLIENT or TCS-RST-FROM-SERVER , bçoz as i mentioned in initial post i can see TCP-RST-FROM-CLIENT for a succesful transaction even, However it shuld be '"tcp-fin" or something except TCP-RST-FROM-CLIENT. if it is reseted by client or server why it is considered as sucessfull.
TCP RST flag may be sent by either of the end (client/server) because of fatal error. So if you take example of TCP RST flag, client trying to connect server on port which is unavailable at that moment on the server.
Now for successful connections without any issues from either of the end, you will see TCP-FIN flag.
Now in case, for a moment particular server went unavailable then RST will happen and user even don't know about this situation and initiated new request again And at that time may be that server became available and after that connection was successful. So In this case, if you compare sessions, you will find RST for first session and 2nd should be TCP-FIN. So like this, there are multiple situations where you will see such logs.
Just wanted to let you know that I have created a blog for this:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!