Wednesday, May 29, 2019

FIN sent immediately after 3-way handshake

We have a PulseSecure WebVPN appliance which uses rewriting to publish some internal web applications to the outside (WebVPN). When we secure the backend connection (from the VPN appliance to the internal application) using HTTPS, sometimes, randomly, an individual component of the website does not load (the HTML itself, or maybe only an image, a CSS file or a JS file...)

Looking at the packet capture of both the internal server as well as the VPN appliance, we see that the appliance sends a FIN immediately after the TCP handshake.

Now, support is getting on my nerves requesting packet captures from all intermediate devices (firewalls, routers) but they don't say why. Am I missing something here? Since we have already established at both endpoints that there is a FIN packet being sent by the appliance and that there is nothing else between the end of the handshake and FIN what is it that they would be looking for?



No comments:

Post a Comment