Transport layer diagnosis events

The table below describes the diagnosis events on transport layer.

Event

Description

Severity

Possible causes

Solutions

TCP Connection Refused

A client’s initial TCP connection attempt is rejected by the host.

Fault
  1. A client is requesting a service that the host does not offer.
  2. There are no more available resources on the host to handle the request.
  1. Check for service availability at the host.
  2. Check for the maximum number of incoming connections that a host can handle.

TCP Repeated Connect Attempt

A client is attempting multiple times to establish a TCP connection.

Fault
  1. The server does not exist or is not powered on.
  2. A client requests a service that is not available on the server.
  3. The SYN packet from a client or the ACK packet from a server is lost or damaged.
  4. The SYN packet from a client or the ACK packet from a server is blocked by a firewall.
  1. Make sure the server exists and is powered on.
  2. Open the port for the service on the server.
  3. Make sure the SYN packet is reaching the server. If the server ACKs, make sure the ACK packet reaches the client.
  4. Open the access control policy on the firewall.

TCP Retransmission

The source host is sending another TCP packet with the sequence number identical to or less than that of a previously sent TCP packet to the same destination IP address and TCP port number.

Performance
  1. Network congestion.
  2. A packet from a client or the ACK packet from the server is lost because the switch or the router is overloaded.
  3. The connection between a client and the server is slow.
  4. The buffer on the server side overflows.
  5. The TCP packet is lost or damaged during transmission.
  6. A segment of a segmented TCP packet is lost or damaged during transmission.
  1. Check the application services running on the network.
  2. Check the working status of switches and routers.
  3. Update the route configurations.
  4. Check the working status of the host at the receiving side.

TCP Invalid Checksum

The destination host calculates TCP checksum of received packet, which is not identical to the value of TCP checksum field in the received packet.

Fault
  1. The packet is damaged during transmission.
  2. Calculating TCP checksum may be disabled if TCP checksum is wrong for all packets.
  3. The source stack does not calculate TCP checksum.
  1. Check for electromagnetic interference devices on the transmission line or for a faulty transmission device.
  2. Check if it is necessary to enable calculating checksum.
  3. Disable TCP Checksum Offload.

TCP Slow Response

The response time for ACK packet is higher than the threshold.

Performance
  1. Network congestion.
  2. The connection between the sending host and the receiving host is slow.
  3. The ACK packet is lost or damaged during transmission.
  4. A router between the sending host and the receiving host is overloaded.
  1. Check the application services running on the network.
  2. Update the route configurations.
  3. Check if the ACK packet is lost or damaged.
  4. Upgrade the router.

TCP Duplicated Acknowledgement

There are at least three packets that have identical ACK number and SEQ numbers.

Performance
  1. TCP segment is lost due to network congestion.
  2. Packets are lost due to other network problems.
  3. The other side of the TCP connection is unresponsive
  1. Check if there is network congestion.
  2. Check if packets are lost due to other network problems.
  3. Check if the hosts of the TCP connection are working regularly.

TCY SYN Storm

A lot of TCP SYN packets are being sent at a speed higher than the threshold.

Security

There is a DOS or DDOS attack.

Check if there is a DOS or DDOS attack.

TCP Header Offset Error

TCP header offset is less than 5.

Security

The source host is sending faulty TCP packets.
  1. Check if there is an attack on the source host.
  2. Check if the progresses are normal.

TCP Port Scan

The number of TCP ports scanned by a local or remote host is higher than the threshold.

Security
  1. A local host has a worm infection that automatically scans TCP ports.
  2. Scan software scans TCP ports.
  1. Check if the host is infected with a worm.
  2. Check if there is manual scanning on the source host.
Back