Hello,
I hope that someone could help us out with a problem that we are experiencing for quite some time now. We have a Mikrotik CCR1016-12S-1S-RM that we wanted to use as our main router, but currently it looks like that it’s dropping connections and our users can’t work properly. The users use a java application that connects to one of our servers and at some point the java application sends a normal SYN packet, to which the Server responds with a proper ACK pakcet, but the ACK number is a totally random number above 10000000. To this tha java application responds with an RST packet, with no response from the server. After that the java application sends couple more RST packets and the connection times out. The first RST packets is counted as invalid RST on the MikroTik.
Unfortunately we can’t take a tcpdump from the server at the moment, but we are working on it. Now the strange part, and the reason why we are posting this in MikroTik forum, is that this behaviour is observable only on a MikroTik device. We currently use a Dell SonicWall that does not have this problem, but we want to switch to the MikroTik. We even tested a different MikroTik (CCR1009-7G-1C-1S+) with the same result. I’m attaching a couple of tcpdumps taken directly from the MikroTik with the Packet Sniffer. We took the Sniff from all the Ports so that we can see what goes out and what goes in the router.
We tested different solutions that we found on the forum, but nothing helped. Some tests involved chaning the Connection Tracking,reset the MikroTik and test without any firewall rules, blocking the invalid RST packets, rejecting the invalid RST packets, changing the distance to the Gateway and many more.
We used Wireshark to check the connection and the issue can be observer with couple of filters :
- ip.addr==87.121.90.189 && tcp.flags.syn==1 - It will show all the syn packets From and To the server and the errors can be easily seen as they are black in Wireshark
- ip.addr==87.121.90.189 && tcp.flags.reset==1 - All the reset packets that go and come from the server. A lot of them are expected as this is the way the java application works.
- ip.addr==87.121.90.189 && tcp.seq>100000 - This will only isolate the problematic connection, where the actual issue occurs.
Links to the pcap files:
https://drive.google.com/file/d/1Rlz3FZHs8M7QVrsx8Vk3DMyrESrS3Gkc/view?usp=sharing
https://drive.google.com/file/d/16ra2D6rQMiRyzqQbl00fnyiUPBTB4SrC/view?usp=sharing
If you have any ideas, please just post them, because we are running out of ideas.
Thank you in advance.