TCP connections are sometimes ended with an unexpected RST (reset)

Solution Verified - Updated -

Issue

  • The Red Hat system is sending a RST packet for some unknown reason:
$ tshark -t dd -r capture.pcap "tcp.stream == 0"
51780 21:13:37.129318   0.000000 192.168.100.10 10.20.30.40 TCP 74 64085 > 22501 [SYN] Seq=2466982502 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=3311535022 TSecr=0 WS=128 
51793 21:13:37.131359   0.002041 10.20.30.40 192.168.100.10 TCP 60 22501 > 64085 [SYN, ACK] Seq=2556619282 Ack=2466982503 Win=65535 Len=0 MSS=1380 
51794 21:13:37.131382   0.000023 192.168.100.10 10.20.30.40 TCP 54 64085 > 22501 [ACK] Seq=2466982503 Ack=2556619283 Win=14600 Len=0 
51799 21:13:37.131875   0.000493 192.168.100.10 10.20.30.40 HTTP 223 GET /XmasServlet/XmasServlet?info=PIN&msisdn=306981323262 HTTP/1.1  
51803 21:13:37.133872   0.001997 10.20.30.40 192.168.100.10 HTTP 166 HTTP/1.1 200 OK  
51804 21:13:37.133881   0.000009 192.168.100.10 10.20.30.40 TCP 54 64085 > 22501 [ACK] Seq=2466982672 Ack=2556619395 Win=14600 Len=0 
51805 21:13:37.134021   0.000140 10.20.30.40 192.168.100.10 HTTP 173 Continuation or non-HTTP traffic 
51806 21:13:37.134028   0.000007 192.168.100.10 10.20.30.40 TCP 54 64085 > 22501 [ACK] Seq=2466982672 Ack=2556619514 Win=14600 Len=0 
51810 21:13:37.134381   0.000353 192.168.100.10 10.20.30.40 TCP 54 64085 > 22501 [RST, ACK] Seq=2466982672 Ack=2556619514 Win=14600 Len=0
  • Most of the time, the connection ends with a normal passing of FIN packets:
$ tshark -t dd -r capture.pcap "tcp.stream == 1"
48545 21:13:35.827904   0.000000 192.168.100.10 10.20.30.40 TCP 74 64072 > 22501 [SYN] Seq=1723152983 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=3311533721 TSecr=0 WS=128 
48568 21:13:35.829935   0.002031 10.20.30.40 192.168.100.10 TCP 60 22501 > 64072 [SYN, ACK] Seq=1170803760 Ack=1723152984 Win=65535 Len=0 MSS=1380 
48569 21:13:35.829945   0.000010 192.168.100.10 10.20.30.40 TCP 54 64072 > 22501 [ACK] Seq=1723152984 Ack=1170803761 Win=14600 Len=0 
48576 21:13:35.830509   0.000564 192.168.100.10 10.20.30.40 HTTP 223 GET /XmasServlet/XmasServlet?info=PIN&msisdn=306981323262 HTTP/1.1  
48599 21:13:35.832546   0.002037 10.20.30.40 192.168.100.10 HTTP 166 HTTP/1.1 200 OK  
48600 21:13:35.832559   0.000013 192.168.100.10 10.20.30.40 TCP 54 64072 > 22501 [ACK] Seq=1723153153 Ack=1170803873 Win=14600 Len=0 
48601 21:13:35.832568   0.000009 10.20.30.40 192.168.100.10 HTTP 173 Continuation or non-HTTP traffic 
48602 21:13:35.832573   0.000005 192.168.100.10 10.20.30.40 TCP 54 64072 > 22501 [ACK] Seq=1723153153 Ack=1170803992 Win=14600 Len=0 
48611 21:13:35.834868   0.002295 192.168.100.10 10.20.30.40 TCP 54 64072 > 22501 [FIN, ACK] Seq=1723153153 Ack=1170803992 Win=14600 Len=0 
48612 21:13:35.836636   0.001768 10.20.30.40 192.168.100.10 TCP 60 22501 > 64072 [ACK] Seq=1170803992 Ack=1723153154 Win=65535 Len=0 
48613 21:13:35.836665   0.000029 10.20.30.40 192.168.100.10 TCP 60 22501 > 64072 [FIN, ACK] Seq=1170803992 Ack=1723153154 Win=65535 Len=0 
48614 21:13:35.836676   0.000011 192.168.100.10 10.20.30.40 TCP 54 64072 > 22501 [ACK] Seq=1723153154 Ack=1170803993 Win=14600 Len=0
  • netstat -s reports connections reset due to early user close

Environment

  • Red Hat Enterprise Linux
  • TCP

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content