MX modifying TCP syn/reset bit?

SOLVED
MarkiP
Getting noticed

MX modifying TCP syn/reset bit?

Morning/evening all,

 

Had a bit of a peculiar scenario today that I would appreciate any input on.

 

Essentially one particular website has been failing to load today (worked fine yesterday). Page tries to load and eventually the browser times it out. Running a pcap on both the client (affects all users at the current site) and the LAN MX interface shows the same story, the TCP SYN request being sent, and a TCP Reset flagged packet received in response, this happens indefinitely. Am also unable to ping that IP which I can elsewhere, and when attempting to SSH get a connection timed out, rather than connection refused as I do elsewhere.

 

Running a capture on the WAN interface however shows a different story, there are only outgoing packets with the SYN bit unset, and the Reset bit set, so in essence we are just sending TCP Reset packets and receive no response.

 

Little bit baffled here, the website is accessible on the same IP from our other offices/home just fine so seems be to be a local issue only, have tried amending the traffic shaping to use a different uplink but no change. It seems that the MX is modifying the TCP SYN's to TCP RST's, but then where the replies are coming from I am not sure, as these do not appear on the WAN interface captures. Ran a capture on the site-to-site interfaces too but nothing.

 

My only possible theory at the moment is that a while back I may have tried to setup a static route to that internet IP via the MX LAN IP when testing something. And whilst it doesn't show under the route table, it may be hanging around in the background somewhere playing havoc. Tried a reboot also but that made no difference.

 

I will raise that with support in the morning, but would appreciate anyone's advice if they have ever come across anything similar before. 

 

Many thanks in advance,

 

Mark

 

1 ACCEPTED SOLUTION
MarkiP
Getting noticed

Scrap that, seems it was L7 firewall rules (geographic) that was blocking this.

View solution in original post

1 REPLY 1
MarkiP
Getting noticed

Scrap that, seems it was L7 firewall rules (geographic) that was blocking this.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels