RST ACK with Reset cause

tcp rst

24,822

The RST packets in your capture are unrelated to all the other TCP connections seen in your capture. That makes it difficult to guess what may have triggered them. I see no evidence to suggest that the RST packets were triggered by other packets in your capture.

Unlike a normal RST packet, each RST packet in your capture also has a payload. The selected packet has this payload:

(Ref.Id: ?sufKKsWW25F4Cs7CEW4MM?)

This payload is the best hint so far about what may have caused those RST packets. Maybe if you capture traffic for a longer period of time you'll find out if the RST packets are related to a TCP connection which has been idle for a while.

Also check the logs on any middleboxes (NAT, firewall, etc.) for the string sufKKsWW25F4Cs7CEW4MM.

Searching for Ref.Id and RST leads to this older question about a firewall called Sonicwall NSA 2400. And from a quick look over the other search results it appears that the majority of them also mention Sonicwall. So it sounds like the RST packets are most likely produced by a Sonicwall firewall.

24,822

Hardik Sanghavi

Updated on September 18, 2022

Comments

Hardik Sanghavi over 1 year

We have a device that connects over Wired LAN (Ethernet) to our cloud servers. At certain customer locations, when the device tries to send data, we are getting RST ACK from the customer server to our cloud server with a reset cause. I am not able to understand the reason from this.

The device is getting connected through DHCP to the customers routers and then from the routers to our cloud server.

I have attached a copy of the wireshark dump.
Hardik Sanghavi over 8 years

Thank you for the response. You are absolutely right about the Sonicwall. It seems that our device sent out a lot of data packets and the firewall blocked the connection of the device. Is there a way where we can ask the firewall to accept all the connections from our device to our servers and not block them ? Our devices send data to a fixed IP and port no
Hardik Sanghavi over 8 years

We tried to search in the logs but couldn't find anything on the logs with the mentioned reference ID. I am sure we are looking at wrong logs. Please guide us as to what logs to look at
kasperd over 8 years

@HardikSanghavi I cannot answer that. I have expertise in networking, but that doesn't mean I know every networking product in existence. Sonickwall is not one of the products I know. I suggest you create a new question asking about how to find a Ref.Id in the Sonickwall logs. You can include a link to this question for reference.