Re: TCP Resets

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: Geoff <nigeltufnel123@xxxxxxxxx>
• Date: Fri, 28 Jul 2006 07:27:46 -0500

---

Thanks for the info....I'll check, and post back






TAce Fekay [MVP] wrote:

In news:%23eBPufLsGHA.4896@xxxxxxxxxxxxxxxxxxxx,
Geoff <nigeltufnel123@xxxxxxxxx> stated, which I commented on below:

Hello all !

I posted this in the AD forum yesterday, but got no responses, so I'm
going to post here too....sorry for the dual post...but we see this
most often from our AD Domain Controllers.

What we are seeing is a large number of TCP resets (see below) coming
from our AD Domain Controllers, talking to clients. We kind of expect
this to be a FIN-ACK instead of a reset. Any thoughts? Is this
“normal”? If so, why?

BTW...Looks like is it's doing Kerberos over TCP

SUMMARY: TCP: Ack Seq#=55975276 Ack#=535452271 Win=0
Frame 5448 at 27.570707013: (60 Bytes)
AD63:88 --> P8675309:1449
Network Error:TCP Reset
Sequence Number = 55975276 (0 byte)
Acknowledgement Number = 535452271
Window Size = 0


Thanks !
Geoff

I can'
t say if this is normal or not, but it doesn't appear correct, since you mentioned Kerberos using TCP. I know Kerberos uses UDP 88, so I can't answer you there, and I have not captured traffic to view this, unless someone else can chime in on that.

Do any of the packets show Kerberos using UDP first, then try TCP? Is this client to domain controller traffic across a WAN? Any 3rd party spyware, or antivirus with security features installed?

Do any of the routers (assuming going across a router) have the MTUs altered or going across a NAT device with multiple internal interfaces? Either one will affect LDAP traffic. LDAP requires the MTU to be 1500, and if a NAT has multiple internal interfaces, to disable H.323

.

---

• Follow-Ups:
  • Re: TCP Resets
    • From: Ace Fekay [MVP]

• References:
  • TCP Resets
    • From: Geoff
  • Re: TCP Resets
    • From: Ace Fekay [MVP]

• Prev by Date: About IP Helper API and new SYN attack notification on Microsoft Windows Server 2003 Service Pack 1
• Next by Date: Re: Need Help With Broadcast Routes
• Previous by thread: Re: TCP Resets
• Next by thread: Re: TCP Resets
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: TCP Resets ... I posted this in the AD forum yesterday, but got no responses, so I'm ... What we are seeing is a large number of TCP resets coming ... BTW...Looks like is it's doing Kerberos over TCP ... Instead of the website you're using, I suggest to use OEx (Outlook Express ... (microsoft.public.windows.server.networking) Re: block CodeRed/Nimda at the firewall? ... <snip, thnx!> ... TCP uses the RST (Reset) bit in the TCP header to reset a TCP ... DROPing packets that are addressed to reserved ... (comp.os.linux.security) Re: Kerberos UDP vs TCP ... Kerberos is supposed to automatically switch to TCP if its message size ... Kerberos messages get large when PAC data is ... Kerberos is one of the few protocols that still uses UDP - most everything ... (microsoft.public.security) Re: Rollback to NT4 domain from 2000 mixed mode ... Windows 2000 and above uses 2 forms of authentication: Kerberos and NTLM. ... will fail because no Windows 2000 domain controllers will be available. ... (microsoft.public.win2000.general) Re: TCP Vulnerabilites - Windows affected? ... Using spoofed TCP resets to close connections affect pretty much ... adversely impacted by a few TCP sessions being falsely reset. ... Despite what the original article says, this information is not trivial to ... (microsoft.public.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.networking  > 2006-08