Hi Experts
Was troubleshooting some network performance issues and in packet captures i saw that i am getting 2 initial syn packets when a client try to connect from internet to my web servers public address. The average latency between client and my web server is around 80 msec and These syn requests are few microseconds apart so i don't think it is due to timeout or first packets being dropped.
Example 1
641 22:03:36.305393 82.0.xx.xxx 194.xxx.xxx.xxx TCP 33334 > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
643 22:03:36.305426 82.0.xx.xxx 194.xxx.xxx.xxx TCP 33334 > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
646 22:03:36.306034 194.xxx.xxx.xxx 82.0.xx.xxx TCP http > 33334 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380
669 22:03:36.376870 82.0.xx.xxx 194.xxx.xxx.xxx TCP 33334 > http [RST] Seq=1 Win=0 Len=0
670 22:03:36.376884 82.0.xx.xxx 194.xxx.xxx.xxx TCP 33334 > http [RST] Seq=1 Win=0 Len=0
Example 2
18992 22:05:30.901642 82.34.xxx.xxx 194.xxx.xxx.xxx TCP ff-lr-port > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
18994 22:05:30.901660 82.34.xxx.xxx 194.xxx.xxx.xxx TCP ff-lr-port > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
18996 22:05:30.902738 194.xxx.xxx.xxx 82.34.xxx.xxx TCP http > ff-lr-port [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380
19496 22:05:35.233938 194.xxx.xxx.xxx 82.34.xxx.xxx TCP http > ff-lr-port [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380
19744 22:05:37.544553 194.xxx.xxx.xxx 82.34.xxx.xxx TCP http > ff-lr-port [RST, ACK] Seq=1 Ack=1 Win=65535 Len=0
These packets are captured before any firewalls or load balancer devices. The SYN packets are 100% similar and i think my devices have no way to know which one is legitimate and which one is not, dropping one packet and replying to other but then client was expecting something else sent a RST or didn't replied.
Any expert opinions please
Regards
Adnan
Was troubleshooting some network performance issues and in packet captures i saw that i am getting 2 initial syn packets when a client try to connect from internet to my web servers public address. The average latency between client and my web server is around 80 msec and These syn requests are few microseconds apart so i don't think it is due to timeout or first packets being dropped.
Example 1
641 22:03:36.305393 82.0.xx.xxx 194.xxx.xxx.xxx TCP 33334 > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
643 22:03:36.305426 82.0.xx.xxx 194.xxx.xxx.xxx TCP 33334 > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
646 22:03:36.306034 194.xxx.xxx.xxx 82.0.xx.xxx TCP http > 33334 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380
669 22:03:36.376870 82.0.xx.xxx 194.xxx.xxx.xxx TCP 33334 > http [RST] Seq=1 Win=0 Len=0
670 22:03:36.376884 82.0.xx.xxx 194.xxx.xxx.xxx TCP 33334 > http [RST] Seq=1 Win=0 Len=0
Example 2
18992 22:05:30.901642 82.34.xxx.xxx 194.xxx.xxx.xxx TCP ff-lr-port > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
18994 22:05:30.901660 82.34.xxx.xxx 194.xxx.xxx.xxx TCP ff-lr-port > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
18996 22:05:30.902738 194.xxx.xxx.xxx 82.34.xxx.xxx TCP http > ff-lr-port [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380
19496 22:05:35.233938 194.xxx.xxx.xxx 82.34.xxx.xxx TCP http > ff-lr-port [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380
19744 22:05:37.544553 194.xxx.xxx.xxx 82.34.xxx.xxx TCP http > ff-lr-port [RST, ACK] Seq=1 Ack=1 Win=65535 Len=0
These packets are captured before any firewalls or load balancer devices. The SYN packets are 100% similar and i think my devices have no way to know which one is legitimate and which one is not, dropping one packet and replying to other but then client was expecting something else sent a RST or didn't replied.
Any expert opinions please
Regards
Adnan