Skip to main content

TCP Retransmissions

More
18 years 2 months ago #16383 by Smurf
Replied by Smurf on topic Re: TCP Retransmissions
I am having a similar issue on my Cisco 3750G switch, this is happening on a VLAN between two servers on the same IP Subnet and the same VLAN.

I currently have a TAC case open to help me determine if the fault is with my switch or not. I get TCP Retransmissions, TCP FastRetransmissions, TCP DUP ACK (sometimes i can get 40 to 50 for the same TCP Segment), TCP Out-of-Order.

Why can't these things just work, lol

I will keep people updated on what is found.

Cheers

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 2 months ago #16406 by wlekns
Replied by wlekns on topic Re: TCP Retransmissions
I can't really send a capture file but below is the Flow Graph. The interesting thing is the FIN,ACK activity.

>> CLIENT to SERVER
<< SERVER to CLIENT

SYN>>
<<SYN,ACK
PSH,ACK>>
<<PSH,ACK
PSH,ACK>>
ACK>>
PSH,ACK>>
ACK>>
<<PSH,ACK
ACK>>
ACK>>
PSH,ACK>>
<<ACK
<<ACK
<<ACK
ACK>>
<<PSH,ACK
FIN,ACK>>
<<ACK
RST,ACK>>
<<ACK
RST>>
<<ACK
RST>>
<<ACK
RST>>
<<ACK
RST>>

This seems to be happening through all of my captures.

Suggestions?
More
18 years 2 months ago #16408 by wlekns
Replied by wlekns on topic Re: TCP Retransmissions
Additional information from the users.

The symptoms appear to be:
* Screen Freezes for 5-10 seconds
* Appears to be a hung IE session
* Sometimes must use tskmgr to kill IE
More
17 years 6 months ago #21278 by mobi
Replied by mobi on topic Re: TCP Retransmissions
I'm facing a similar issue.
I'm trying to upload a file to a ftp server on the local intranet. The transfer is too slow.
When i captured the transmission, i see a lot of TCP DUP ACKs, TCP Retransmissions, and also some TCP fast retransmissions.
Can someone tell what exactly is going on :cry: and how can i fix it ?

Here's a sniffed session.
www.myjavaserver.com/~mobi/output.rar
More
17 years 6 months ago #21279 by Smurf
Replied by Smurf on topic Re: TCP Retransmissions
How are you creating the capture ? Is it a VLAN SPAN or a port SPAN ? Also, are you capturing RX/TX or Both ?
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
13 years 8 months ago #36372 by devocite
Replied by devocite on topic Possible Solution
I just found the solution for a customer with the same problem.

I setup a monitor on the client and server switch ports, and I would see the server send an ACK, and the client received a RST!

The customer has a Baracuda web filter, and spanning the port showed it was responding to traffic with a RST.

My solution, create a L2 VLAN (i.e 500) with two ports, run a wire from an access port in VLAN1, to one of the ports in VLAN 500, then plug the Barracuda into the other port of VLAN500. I then setup a mac access list on the port of VLAN 500 I looped from VLAN1. I only allow the mac addresses for the Barracuda and the ASA.
Why? On 3750 and below you can only apply and access-group as an ingress filter.

mac access-list extended BaracudaASA
permit any host 0017.5401.0a06
permit any host 001f.9e2b.b04d
permit any host ffff.ffff.ffff
deny any any

interface GigabitEthernet4/0/22
description *** Baracuda MAC jail ***
switchport access vlan 500
switchport mode access
mac access-group BaracudaASA in
no cdp enable


Other solutions: replace your Barracuda with a BlueCoat ProxyOne or Cisco Ironport webfilter

:wink:
Time to create page: 0.158 seconds