We have a client that connects over the NHS internal network to a server hosted at our site. We have lots of clients like this, but these are slightly different because they NAT all their machines to one IP before it gets to us.
Recently they complained about connection problems and after lots of investigation we managed to get a packet capture of the problem (IPs changed of course):
1 0.00 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
2 0.00 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [SYN, ACK]
3 0.01 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
4 0.08 192.168.0.1 -> 10.0.0.254 HTTP POST
5 0.24 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [ACK]
6 0.23 192.168.0.1 -> 10.0.0.254 HTTP Continuation
7 0.24 10.0.0.254 -> 192.168.0.1 HTTP HTTP/1.1 200 OK 1365
8 0.24 10.0.0.254 -> 192.168.0.1 HTTP Continuation
9 0.24 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [FIN, ACK]
10 0.29 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
11 0.31 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [FIN, ACK]
12 0.31 10.0.0.254 -> 192.168.0.1 TCP 80 > 2268 [ACK]
13 0.34 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [ACK]
14 68.26 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
15 71.18 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
16 77.13 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [SYN]
17 98.25 192.168.0.1 -> 10.0.0.254 TCP 2268 > 80 [RST, CWR]
(more…)