Transport layer events

Capsa can diagnoses transport layer events as below.

Event	Description	Severity	Possible causes	Solutions
TCP Connection Refused	A client’s initial TCP connection attempt is rejected by the host.	Fault	A client is requesting a service that the host does not offer. There are no more available resources on the host to handle the request.	Check for service availability at the host. Check for the maximum number of incoming connections that a host can handle.
TCP Repeated Connect Attempt	A client is attempting multiple times to establish a TCP connection.	Fault	The server does not exist or is not powered on. A client requests a service that is not available on the server. The SYN packet from a client or the ACK packet from a server is lost or damaged. The SYN packet from a client or the ACK packet from a server is blocked by a firewall.	Make sure the server is existent and is powered on. Open the port for the service on the server. Make sure the SYN packet is reaching the server. If the server ACKs, make sure the ACK packet reaches the client. Open the access control policy on the firewall.
TCP Retransmission	The source host is sending another TCP packet with the sequence number identical to or less than that of a previously sent TCP packet to the same destination IP address and TCP port number.	Performance	Network congestion. A packet from a client or the ACK packet from the server is lost because the switch or the router is overloaded. The connection between a client and the server is slow. The buffer of server side overflows. The TCP packet is lost or damaged during transmission. A segment of a segmented TCP packet is lost or damaged during transmission.	Check the application services running on the network. Check the working status of switches and routers. Update the configurations of routes. Check the working status of the host at the receiving side.
TCP Invalid Checksum	The destination host calculates TCP checksum of received packet, which is not identical to the value of TCP checksum field in the received packet.	Fault	The packet is damaged during transmission. Calculating TCP checksum may be disabled if TCP checksum of all packets is wrong. The source stack does not calculate TCP checksum.	Check if there are electromagnetic interference devices on the transmission line or if there is faulty transmission device. Check if it is necessary to enable calculating checksum. Disable TCP Checksum Offload.
TCP Slow Response	The response time for ACK packet is higher than the threshold.	Performance	Network congestion. The connection between the sending host and the receiving host is slow. The ACK packet is lost or damaged during transmission. A router between the sending host and the receiving host is overloaded.	Check the application services running on the network. Update the configurations of routes. Check if the ACK packet is lost or damaged. Upgrade the router.
TCP Duplicated Acknowledgement	There are at least three packets have identical ACK number and SEQ number.	Performance	TCP segment is lost due to network congestion. Packets are lost due to other network problems. The other side of TCP connection is unresponsive	Check if there is network congestion. Check if packets are lost due to other network problems. Check if the hosts of TCP connection are working regularly.
TCY SYN Storm	A lot of TCP SYN packets are being sent at a speed higher than the threshold.	Security	There is DOS or DDOS attack.	Check if there is DOS or DDOS attack.
TCP Header Offset Error	TCP header offset is less than 5.	Security	The source host is sending faulty TCP packets.	Check if there is attack on the source host. Check if the progresses are regular.
TCP Port Scan	A local or remote host scans TCP ports, the number of which is higher than the threshold.	Security	A local host infects worm to automatically scan TCP ports. Scan software scans TCP ports.	Check if the host is infected with worm. Check if there is manual scanning on the source host.

Back