cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Cyber Elite
Cyber Elite

Hi @tamilvanan,

- On which side of the firewall did you capture the traffic?

- The ACK/RST is not actually relevant in this case, because it is for different connection (Server Hello come from 40.126.35.130, while the RST is to 20.190.163.22)

- From the non-working PCAP you can actually see that client (10.82.192.17) not receiving the Server Hello, which by the way is split in four packers, because it is too large). For that reason, client is re-transmitting its last packet, effectively asking the server to re-transmit it last segment.

- You mentioned that multiple devices are experience the same issue - have you made any connection between the working one and none working one? Are they in different VLANs? Are they using different network devices (switches, routers etc)

 

This PCAP remains me of a case several years ago, that I will never forget...

We were troubleshooting case where devices were not able to access web page over HTTPS, while the server was working fine and same page was accessible from other networks without issues. We notice similar re-transmissions when server tries to send "Server Hello". Because "Server Hello" contain certificate chain and other crap, it is too large and split into several packets, but still large packets. We figure out that larger packets are dropped somewhere along the path before reaching the client and it was not able to complete the SSL negotiation. It may sound bizarre, but at the end it turns out that bad cable was causing packet loss between two switches. Smaller packets were forwarded without problems, but anything bigger than 1300 was lost.

 

I would suggestion you:

- Check all physical interfaces along the path between client and firewall for errors (this includes switches, routers and any other network devices, not only the firewall)

- Check for duplex and speed mismatch on same interfaces

- Run packet capture directly on the problematic hosts and on the firewall (on the interface facing the client) at the same time and confirm that all packets seen by the firewall are received by the client.

Who rated this post