Eric at Lucii.org on 22 Mar 2012 20:53:03 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] web server sending TCP reset


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey thanks everybody for the info and ideas!

I am told that a Cisco firewall device was replaced about 1 month ago (reasons unknown.)  When they swapped it back in to the network this afternoon the problem has apparently stopped.

We'll see!

Thanks
Eric

On 03/22/2012 08:45 PM, Tim Heckman wrote:
> Where are they seeing the TCP resets at?  Are they running tcpdump/wireshark on the system itself, or on the local system that's trying to connect?
> 
> Assuming the server itself has tcpdump installed you can use this to see if the server is sending any resets when someone connects to port 80 (as root):
> 
>     tcpdump 'tcp[13] & 4!=0' and port 80
> 
> Or, if they are seeing the resets on another port just change the port in the command.  What you would then want to do is have wireshark running on the local system, and see if it is getting RST packets.  If you are seeing RST packets locally, and not coming from the system, something is happening in the middle.
> 
> If you see the server sending the resets, then the plot thickens.
> 
> -Tim
> 
> ---
> Tim Heckman
> 
> On Thursday, March 22, 2012 at 7:41 PM, David Coulson wrote:
> 
>> The 'server' IP has to send them for the RST to actually work - Curious
>> if it's actually the server itself sending the RST, or another device
>> further upstream that is intercepting. I've seen this when an ISP has
>> sloppy firewall rules, so they 'block' a high port such as 8080, but
>> don't realize legitimate clients might be using that as a source port.
>>
>> On 3/22/12 5:43 PM, Carl Johnson wrote:
>>> Some ISP's do this to subscribers as a means to block/control P2P traffic. Not sure why a server would send them though.
>>>
>>>
>>>
>>>
>>>
>>> Sent from my Motorola DynaTAC 8000x
>>>
>>> "Eric at Lucii.org"<eric@lucii.org <mailto:eric@lucii.org>> wrote:
>>>
> A user of a site I'm developing is having connectivity problems and
> they started looking at their firewall logs. They then asked the site
> owner why the site was sending so many TCP RESET packets. So, he asked
> me. I have no idea.... I've never heard of a web site sending TCP
> RESET packets... thought that was handled at a lower level.
> 
> Sound familiar to anybody? I'm (very rapidly) out of ideas.
> 
> They're looking at it with Wireshark and will, I suppose, report back
> to me at some point.
> 
> 
> Eric
___________________________________________________________________________
Philadelphia Linux Users Group --
http://www.phillylinux.org
Announcements -
http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion --
http://lists.phillylinux.org/mailman/listinfo/plug
>>> ___________________________________________________________________________
>>> Philadelphia Linux Users Group -- http://www.phillylinux.org
>>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
>>> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
>> ___________________________________________________________________________
>> Philadelphia Linux Users Group -- http://www.phillylinux.org
>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

- -- 
#  Eric Lucas
#
#                "Oh, I have slipped the surly bond of earth
#                 And danced the skies on laughter-silvered wings...
#                                        -- John Gillespie Magee Jr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9r824ACgkQ2sGpvXQrZ/7SlwCfZjXydE0D0C//NfF9ZJCTSNqp
FrQAnR+GsmuyQ5xx6Ed/QC79Bz+81NXh
=ELOQ
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug