Windows Firewall dropping syn/ack packets!?

I installed an ODBC driver on a Windows Server 2003 R2 SP2 machine and
attempted to set up a DSN to connect to a remote database.

When I test the DSN connection it fails.

On examining the windows firewall log I see the line below once for every
failed connection:-

2007-09-26 13:45:29 DROP TCP 10.2.196.65 10.2.239.8 3306 1952 48 SA
374811178 2640928510 5840 - - - RECEIVE

The windows server is 10.2.239.8 and the database is on 10.2.196.65 running
on TCP port 3306.

Correct me if I'm wrong but isn't this showing windows firewall rejecting
the SYN/ACK of a legit TCP handshake?

If so why is it doing this, I'm initiating the outgoing connection, surely
the related packets should be allowed?

I hope someone can throw some light on this.

Cheers.

To make sure I understand:

This log shows a dropped SYN-ACK from the Windows server (10.2.239.8:3306)
to the database server (10.2.196.65:1952).

Which computer are you getting this log from?

--
Steve Riley
(E-Mail Removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Sheepfarming" <(E-Mail Removed)> wrote in message
news:C9CBE659-DD6B-433D-A87C-(E-Mail Removed)...
>
> I installed an ODBC driver on a Windows Server 2003 R2 SP2 machine and
> attempted to set up a DSN to connect to a remote database.
>
> When I test the DSN connection it fails.
>
> On examining the windows firewall log I see the line below once for every
> failed connection:-
>
> 2007-09-26 13:45:29 DROP TCP 10.2.196.65 10.2.239.8 3306 1952 48 SA
> 374811178 2640928510 5840 - - - RECEIVE
>
> The windows server is 10.2.239.8 and the database is on 10.2.196.65
> running
> on TCP port 3306.
>
> Correct me if I'm wrong but isn't this showing windows firewall rejecting
> the SYN/ACK of a legit TCP handshake?
>
> If so why is it doing this, I'm initiating the outgoing connection, surely
> the related packets should be allowed?
>
> I hope someone can throw some light on this.
>
> Cheers.

"Steve Riley [MSFT]" wrote:

> To make sure I understand:
>
> This log shows a dropped SYN-ACK from the Windows server (10.2.239.8:3306)
> to the database server (10.2.196.65:1952).

The Windows2K3 server (10.2.239.8:1952) appears to be dropping the SYN-ACK
from the database server (10.2.196.65:3306).

> Which computer are you getting this log from?

The W2K3 server (10.2.239.8) initiated the connection (to port 3306 on the
database server 10.2.196.65) and the log is from the W2K3 server (10.2.239.8).

There aren't any dropped packets on the database server.

I hope that makes more sense.

Cheers.

Hm. Looks like I misread your log the first time. This is what you wrote:

2007-09-26 13:45:29 DROP TCP 10.2.196.65 10.2.239.8 3306 1952 48 SA
374811178 2640928510 5840 - - - RECEIVE

This is the format of the firewall log:

Date Time Action Protocol Source-IP Dest-IP Source-Port Dest-Port Size
TCPFlags TCPSyn TCPAck TCPWinSize ICMPType ICMPCode Info Path

So this is a SYN-ACK from 10.2.196.65:3306 to 10.2.239.8:1952. This matches
your statement

> The Windows2K3 server (10.2.239.8:1952) appears to be dropping the SYN-ACK
> from the database server (10.2.196.65:3306).

Obviously the initial SYN from the 2003 Server is getting to the database
server. I'm at a loss why its firewall is blocking the reply, I'll have to
ask around. Meanwhile, try something, and I doubt this will work: create an
exception that permits inbound traffic from the database server. This is
more curiosity than anything else.

--
Steve Riley
(E-Mail Removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Sheepfarming" <(E-Mail Removed)> wrote in message
news:741276D5-4E95-47D8-AF86-(E-Mail Removed)...
> "Steve Riley [MSFT]" wrote:
>
>> To make sure I understand:
>>
>> This log shows a dropped SYN-ACK from the Windows server
>> (10.2.239.8:3306)
>> to the database server (10.2.196.65:1952).
>
> The Windows2K3 server (10.2.239.8:1952) appears to be dropping the SYN-ACK
> from the database server (10.2.196.65:3306).
>
>> Which computer are you getting this log from?
>
> The W2K3 server (10.2.239.8) initiated the connection (to port 3306 on
> the
> database server 10.2.196.65) and the log is from the W2K3 server
> (10.2.239.8).
>
> There aren't any dropped packets on the database server.
>
> I hope that makes more sense.
>
> Cheers.
>
>
>

How many network interfaces are in the Windows server? I'm wondering if
perhaps the SYN-ACK is arriving on a different network interface than the
one that sent the original SYN.

--
Steve Riley
(E-Mail Removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hm. Looks like I misread your log the first time. This is what you wrote:
>
> 2007-09-26 13:45:29 DROP TCP 10.2.196.65 10.2.239.8 3306 1952 48 SA
> 374811178 2640928510 5840 - - - RECEIVE
>
> This is the format of the firewall log:
>
> Date Time Action Protocol Source-IP Dest-IP Source-Port Dest-Port Size
> TCPFlags TCPSyn TCPAck TCPWinSize ICMPType ICMPCode Info Path
>
> So this is a SYN-ACK from 10.2.196.65:3306 to 10.2.239.8:1952. This
> matches your statement
>
>> The Windows2K3 server (10.2.239.8:1952) appears to be dropping the
>> SYN-ACK
>> from the database server (10.2.196.65:3306).
>
> Obviously the initial SYN from the 2003 Server is getting to the database
> server. I'm at a loss why its firewall is blocking the reply, I'll have to
> ask around. Meanwhile, try something, and I doubt this will work: create
> an exception that permits inbound traffic from the database server. This
> is more curiosity than anything else.
>
> --
> Steve Riley
> (E-Mail Removed)
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "Sheepfarming" <(E-Mail Removed)> wrote in message
> news:741276D5-4E95-47D8-AF86-(E-Mail Removed)...
>> "Steve Riley [MSFT]" wrote:
>>
>>> To make sure I understand:
>>>
>>> This log shows a dropped SYN-ACK from the Windows server
>>> (10.2.239.8:3306)
>>> to the database server (10.2.196.65:1952).
>>
>> The Windows2K3 server (10.2.239.8:1952) appears to be dropping the
>> SYN-ACK
>> from the database server (10.2.196.65:3306).
>>
>>> Which computer are you getting this log from?
>>
>> The W2K3 server (10.2.239.8) initiated the connection (to port 3306 on
>> the
>> database server 10.2.196.65) and the log is from the W2K3 server
>> (10.2.239.8).
>>
>> There aren't any dropped packets on the database server.
>>
>> I hope that makes more sense.
>>
>> Cheers.
>>
>>
>>

"Steve Riley [MSFT]" wrote:

> How many network interfaces are in the Windows server? I'm wondering if
> perhaps the SYN-ACK is arriving on a different network interface than the
> one that sent the original SYN.

Doh! I have a very red face right now.

I forgot the database server has 2 interfaces, and a direct route back to
the W2K3 server's subnet.

Many thanks.

Glad to help out.

--
Steve Riley
(E-Mail Removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Ant" <(E-Mail Removed)> wrote in message
news:622C474D-16DD-461C-97E8-(E-Mail Removed)...
> "Steve Riley [MSFT]" wrote:
>
>> How many network interfaces are in the Windows server? I'm wondering if
>> perhaps the SYN-ACK is arriving on a different network interface than the
>> one that sent the original SYN.
>
> Doh! I have a very red face right now.
>
> I forgot the database server has 2 interfaces, and a direct route back to
> the W2K3 server's subnet.
>
> Many thanks.