Wireshark · Wireshark-users: [Wireshark-users] RST in connection after webserver upgrade. Please help analyse

["Jeroen Wolff" <jeroen.wolff@xxxxxxxxx>]

Hi,
I've running into a tcp reset connection wich i don't understand.
Can somebody explain it to me? That would be great!

 

 

 

We have 2 IBM IHS webservers (Apache 2.0.x) with a Avaya loadbalancers on top. The loadbalancers does every

5 seconds a healthcheck with an GET / HTTP/1.1 request. Now the health check works and this is the flow:

 

Webserver1: 10.132.32.97

Loadbalancer: 10.132.32.124

 

No.     Time        Source                Destination           Protocol Info
     28 6.281687    10.132.32.124         10.132.32.97          TCP      63264 > 50110 [SYN] Seq=0 Len=0
     29 6.281764    10.132.32.97          10.132.32.124         TCP      50110 > 63264 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=1460
     30 6.284956    10.132.32.124         10.132.32.97          TCP      63264 > 50110 [ACK] Seq=1 Ack=1 Win=8192 Len=0
     31 6.285819    10.132.32.124         10.132.32.97          HTTP     GET / HTTP/1.1
     32 6.286340    10.132.32.97          10.132.32.124          HTTP     HTTP/1.1 200 OK (text/html)
     33 6.289605    10.132.32.124         10.132.32.97          TCP      63264 > 50110 [FIN, ACK] Seq=90 Ack=605 Win=8192 Len=0
     34 6.289649    10.132.32.97          10.132.32.124         TCP      50110 > 63264 [ACK] Seq=605 Ack=91 Win=32768 Len=0
     35 6.289691    10.132.32.97          10.132.32.124         TCP      50110 > 63264 [FIN, ACK] Seq=605 Ack=91 Win=32768 Len=0
     36 6.293661    10.132.32.124         10.132.32.97          TCP      [TCP Dup ACK 33#1] 63264 > 50110 [ACK] Seq=91 Ack=605 Win=8192 Len=0
     37 6.294571    10.132.32.124          10.132.32.97          TCP      63264 > 50110 [ACK] Seq=91 Ack=606 Win=8192 Len=0

We needed to upgrade our webserver to a new IBM IHS release (Apache 2.0.47) and now the health check doesn't work and Avaya marks

the webserver as down. Because the Avaya needs a HTTP 200 OK response AND a good closed tcp connection.

And as you can see, there is not a nice closed session. The loadbalancer send a RST to close the connection.

Can anybody see why?

 

No.     Time        Source                Destination           Protocol Info
     51 10.000206   10.132.32.124         10.132.32.97          TCP      63378 > 50110 [SYN] Seq=0 Len=0
     52 10.000345   10.132.32.97          10.132.32.124         TCP      50110 > 63378 [SYN, ACK] Seq=0 Ack=1 Win=32768 Len=0 MSS=1460
     53 10.003637   10.132.32.124         10.132.32.97          TCP      63378 > 50110 [ACK] Seq=1 Ack=1 Win=8192 Len=0
     54 10.004307   10.132.32.124         10.132.32.97          HTTP     GET / HTTP/1.1
     55 10.004993   10.132.32.97          10.132.32.124          HTTP     HTTP/1.1 200 OK (text/html)
     56 10.005111   10.132.32.97          10.132.32.124         TCP      50110 > 63378 [FIN, ACK] Seq=624 Ack=90 Win=32768 Len=0
     57 10.014761   10.132.32.124         10.132.32.97          TCP      63378 > 50110 [FIN, ACK] Seq=90 Ack=624 Win=8192 Len=0
     58 10.014820    10.132.32.97          10.132.32.124         TCP      50110 > 63378 [FIN, ACK] Seq=624 Ack=91 Win=32768 Len=0
     59 10.016232   10.132.32.124         10.132.32.97          TCP      63378 > 50110 [ACK] Seq=91 Ack=625 Win=8192 Len=0
     71 12.180680   10.132.32.124         10.132.32.97          TCP      63378 > 50110 [RST] Seq=92 Len=0

 

Any help would be great, thanks!

--
----
Regards,

Jeroen