TCP Resets

Hello all !

I posted this in the AD forum yesterday, but got no responses, so I'm
going to post here too....sorry for the dual post...but we see this most
often from our AD Domain Controllers.

What we are seeing is a large number of TCP resets (see below) coming
from our AD Domain Controllers, talking to clients. We kind of expect
this to be a FIN-ACK instead of a reset. Any thoughts? Is this
“normal”? If so, why?

BTW...Looks like is it's doing Kerberos over TCP

SUMMARY: TCP: Ack Seq#=55975276 Ack#=535452271 Win=0
Frame 5448 at 27.570707013: (60 Bytes)
AD63:88 --> P8675309:1449
Network Error:TCP Reset
Sequence Number = 55975276 (0 byte)
Acknowledgement Number = 535452271
Window Size = 0


Thanks !
Geoff

In news:%(E-Mail Removed),
Geoff <(E-Mail Removed)> stated, which I commented on below:
> Hello all !
>
> I posted this in the AD forum yesterday, but got no responses, so I'm
> going to post here too....sorry for the dual post...but we see this
> most often from our AD Domain Controllers.
>
> What we are seeing is a large number of TCP resets (see below) coming
> from our AD Domain Controllers, talking to clients. We kind of expect
> this to be a FIN-ACK instead of a reset. Any thoughts? Is this
> “normal”? If so, why?
>
> BTW...Looks like is it's doing Kerberos over TCP
>
> SUMMARY: TCP: Ack Seq#=55975276 Ack#=535452271 Win=0
> Frame 5448 at 27.570707013: (60 Bytes)
> AD63:88 --> P8675309:1449
> Network Error:TCP Reset
> Sequence Number = 55975276 (0 byte)
> Acknowledgement Number = 535452271
> Window Size = 0
>
>
> Thanks !
> Geoff

I can'
t say if this is normal or not, but it doesn't appear correct, since you
mentioned Kerberos using TCP. I know Kerberos uses UDP 88, so I can't answer
you there, and I have not captured traffic to view this, unless someone else
can chime in on that.

Do any of the packets show Kerberos using UDP first, then try TCP? Is this
client to domain controller traffic across a WAN? Any 3rd party spyware, or
antivirus with security features installed?

Do any of the routers (assuming going across a router) have the MTUs altered
or going across a NAT device with multiple internal interfaces? Either one
will affect LDAP traffic. LDAP requires the MTU to be 1500, and if a NAT has
multiple internal interfaces, to disable H.323.

--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

Thanks for the info....I'll check, and post back






TAce Fekay [MVP] wrote:
> In news:%(E-Mail Removed),
> Geoff <(E-Mail Removed)> stated, which I commented on below:
>> Hello all !
>>
>> I posted this in the AD forum yesterday, but got no responses, so I'm
>> going to post here too....sorry for the dual post...but we see this
>> most often from our AD Domain Controllers.
>>
>> What we are seeing is a large number of TCP resets (see below) coming
>> from our AD Domain Controllers, talking to clients. We kind of expect
>> this to be a FIN-ACK instead of a reset. Any thoughts? Is this
>> “normal”? If so, why?
>>
>> BTW...Looks like is it's doing Kerberos over TCP
>>
>> SUMMARY: TCP: Ack Seq#=55975276 Ack#=535452271 Win=0
>> Frame 5448 at 27.570707013: (60 Bytes)
>> AD63:88 --> P8675309:1449
>> Network Error:TCP Reset
>> Sequence Number = 55975276 (0 byte)
>> Acknowledgement Number = 535452271
>> Window Size = 0
>>
>>
>> Thanks !
>> Geoff
>
> I can'
> t say if this is normal or not, but it doesn't appear correct, since you
> mentioned Kerberos using TCP. I know Kerberos uses UDP 88, so I can't answer
> you there, and I have not captured traffic to view this, unless someone else
> can chime in on that.
>
> Do any of the packets show Kerberos using UDP first, then try TCP? Is this
> client to domain controller traffic across a WAN? Any 3rd party spyware, or
> antivirus with security features installed?
>
> Do any of the routers (assuming going across a router) have the MTUs altered
> or going across a NAT device with multiple internal interfaces? Either one
> will affect LDAP traffic. LDAP requires the MTU to be 1500, and if a NAT has
> multiple internal interfaces, to disable H.323

In news:(E-Mail Removed),
Geoff <(E-Mail Removed)> stated, which I commented on below:
> Thanks for the info....I'll check, and post back

Looking forward to your post.

Ace

I haven't been able to gather any new data yet...busy week

Ace Fekay [MVP] wrote:
> In news:(E-Mail Removed),
> Geoff <(E-Mail Removed)> stated, which I commented on below:
>> Thanks for the info....I'll check, and post back
>
> Looking forward to your post.
>
> Ace
>
>

In news:%(E-Mail Removed),
Geoff <(E-Mail Removed)> stated, which I commented on below:
> I haven't been able to gather any new data yet...busy week

Whenever is fine...

:-)