Tcp – Why TCP [RST, ACK] is ignored

tcp

I have a Windows 2008 server and an application that connects over Internet to it.
From time to time I see that I receive a TCP [RST, ACK] that is ignored by my application.
Using TCPViewer I still can see that connection is still up.
I did different Wireshark captures and I can see that in case of the RST ignore, another packet is send back, and the connection is never dropped.

269037  72.5.42.235 172.16.1.138    TCP 60  9003?54020 [RST, ACK] Seq=2655287284 Ack=371936778 Win=0 Len=0
269038  172.16.1.138    72.5.42.235 TCP 66  [TCP Dup ACK 268965#33] 54020?9003 [ACK] Seq=371936778 Ack=2655238984 Win=2097120 Len=0 SLE=2655243124 SRE=2655287284

This usually happens when the connection is bad and I get a lot of latency, delayed packets and retransmissions.
Can somebody explain the situation when a [RST, ACK] may be ignored by an application or operating system?

Best Answer

A TCP connection is normally terminating using a special procedure where each side independently closes its end of the link. Connections are only a pair of two-way handshakes, not the normal 3-way handshake some people expect. Normal connection shutdown states are different at each end. It normally begins with one of the application processes signaling to its TCP layer that the session is no longer needed. That device sends a FIN message to tell the other device that it wants to end the connection, which is acknowledged. When the responding device is ready, it too sends a FIN that is acknowledged; after waiting a period of time for the ACK to be received, I believe its 4 mins, the session is closed.

The TCP protocol detects and responds to various problems that can occur during an established connection. One of the most common is the half-open connection. This occurs when one device closes the connection without the other one knowing about it, due to some problem with the connection, such as a bad network connection continuously flapping, which sounds like what you're experiencing. This means one device is in the ESTABLISHED state while the other may be in the CLOSED state, or some other transient state. This can cause states of the two devices to become unsynchronized.

TCP handles these half-open connections with the RST reset function, which is is generated whenever something happens that is “unexpected” by the TCP software.

Your client issued the RST, your http server ACK'd the RST, which should have closed the connection. However, because of the network flapping and the connection being half-open and unsynchronized, this caused some packet-loss or received out of order. This is why you also see the DUP ACK in your post.

Related Solutions

Cisco ASA – Troubleshooting TCP Handshake Failures

By default, the ASA randomizes the sequence numbers in the handshake (to prevent session hijacks). So your sequence numbers don't actually match. You can turn off that feature.

random-sequence-number disable

TCP Firewall – Is the TCP ACK Bit Set for HTTP Responses?

But the problem is the ACK flag is only set on TCP acknowledgement packets, which do not carry any useful information as far as the end user is concerned, so if you only allow packets that have that flag set, you will drop all useful packets.

While ACK packets may not contain any useful data, the packets themselves are extremely useful. The ACK packet tells the other side of the connection "I received the data you sent and I'm ready for more." If the ACK is not received due to packet loss, a firewall blocking it, or any other reason, the connection sender of the ACK will keep resending that same ACK until the other side sends more data.

Now let's take a step back and discuss the Web server scenario you mentioned.

After the three way handshake completes the client will sends a request for a page. This would contain "useful" data because it tells the server what page the client wants. The server then sends an ACK to let the client know the request has been received. The server then sends back data packets which contain the requested page. The client then sends an ACK or ACKs to let the server know it has received all of the data which was sent.

Note that all of the above took place on a single TCP connection. In other words, both parties can send and receive data over the one connection, they do not need one each.

Finally, just an FYI, blocking traffic based on a TCP flag for security purposes is almost as weak as blocking on port numbers. The reason being that malicious users can craft packets any which way they like so sending all packets with the ACK bit set is no trouble at all. If you're interested in reading more about this take a look at Scapy.

Best Answer

Related Solutions

Cisco ASA – Troubleshooting TCP Handshake Failures

TCP Firewall – Is the TCP ACK Bit Set for HTTP Responses?

Related Topic