In my company we have a software system used to transmit thousands of files of different sizes through a WAN. Senders and receivers are in different countries or even continents, and most of the connections are established through static VPN tunnels.
The system works fine, but almost every day at some point we experience periods (from minutes to hours) in which many connections are dropped. This software can close the connections if they're idle for 3 minutes, and when this happens the action is properly logged and easily identifiable. However, in most of the cases what we see in the logs of both sides isn't a connection closed due to timeout, but that 'a connection was forcibly closed by the remote host'.. So my conclusion is that it is a network device in the middle that is actively sending a RST to both endpoints.
My question is, is this possible?. I understand that a router can drop packets but I've been told that it cannot initiate a connection closure. Is this true? If so, any idea of why the TCP stack indicates, in both sides, that it was the other side who closed the connection?
Thanks a lot!
Best Answer
I've seen firewalls exhibit this exact behaviour in the wild when troubleshooting issues, spoofing RST packets. When running a capture on one end of the connection the RST will appear to be originating from the remote host - try the capture on the remote host and the RST will appear to come from the other end.
So to answer your question, network devices which are "TCP aware" can absolutely cause this situation.