Not a TCP guru here.
I’ve been trying to wrap my head around a problem happening randomly at my place of work.
The scenario:
WebProxy server (also security scanner) fetches file for client from external site.
WebProxy starts downloading and at one point in the TCP conversation, sends an ACK to a packet that doesn’t show up in the tcpdump.
WebProxy keeps sending DupACK for same packet until finally sends FIN/ACK (with same ACK number) to close the connection.
The user experience:
User enters URL to download file
User gets “progress page” from WebProxy.
User sees progress bar moving
User sees progress bar stop for a long time (up to 2 minutes).
WebProxy throws error, file never gets downloaded completely.
The equipment:
In our Internet infrastructure, we run a Packeteer for which there are policies for shaping HTTP/HTTPs traffic coming from/to our WebProxy. Statistics from the Packeteer show that HTTP and HTTPs traffic was 20% below maximum allowed by policy during my capture, so I do not think this is a factor here, but I wanted to mention it, just in case.
Capture excerpt:
(Problem starts at frame #5096 (ACK=3851284). Wireshark states that this is an ACK for frame #5095 but if you look at the SEQ of frame #5095, it’s a different number, so it can’t be it.
If I filter my whole trace with ‘tcp.seq eq 3851284’ I never find a packet with that sequence, yet webproxy keeps sending ACKs for it until it quits.
No. Time Source Destination Protocol Length Info
5091 17.546565 66.165.176.15 webproxy TCP 62 [TCP Keep-Alive] 80→40774 [ACK] Seq=3848563 Ack=3021 Win=17680 Len=0
5092 17.546576 webproxy 66.165.176.15 TCP 56 [TCP Keep-Alive ACK] 40774→80 [ACK] Seq=3021 Ack=3848564 Win=44880 Len=0
5093 17.547159 66.165.176.15 webproxy TCP 62 [TCP Previous segment not captured] 80→40774 [ACK] Seq=3849923 Ack=3021 Win=17680 Len=0
5094 17.547663 66.165.176.15 webproxy TCP 1416 [TCP Out-Of-Order] 80→40774 [ACK] Seq=3848564 Ack=3021 Win=17680 Len=1360
5095 17.548356 66.165.176.15 webproxy TCP 1416 80→40774 [ACK] Seq=3849924 Ack=3021 Win=17680 Len=1360
5096 17.548368 webproxy 66.165.176.15 TCP 56 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5098 17.650337 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#1] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5100 17.650567 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#2] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5102 17.650928 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#3] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5104 17.941223 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#4] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5114 18.524724 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#5] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5120 19.695071 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#6] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5161 22.030163 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#7] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5267 26.703125 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#8] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5400 36.045508 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#9] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
5676 54.735228 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#10] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
6225 92.109878 webproxy 66.165.176.15 TCP 56 [TCP Dup ACK 5096#11] 40774→80 [ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
6976 137.904881 webproxy 66.165.176.15 TCP 56 40774→80 [FIN, ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
7002 138.173175 webproxy 66.165.176.15 TCP 56 [TCP Retransmission] 40774→80 [FIN, ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
7003 138.713173 webproxy 66.165.176.15 TCP 56 [TCP Retransmission] 40774→80 [FIN, ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
7105 139.793164 webproxy 66.165.176.15 TCP 56 [TCP Retransmission] 40774→80 [FIN, ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
7141 141.953164 webproxy 66.165.176.15 TCP 56 [TCP Retransmission] 40774→80 [FIN, ACK] Seq=3021 Ack=3851284 Win=44880 Len=0
Anybody has any idea?