What causes a TCP/IP reset (RST) flag to be sent?

views:

22132

answers:

+10 Q:

What causes a TCP/IP reset (RST) flag to be sent?

I'm trying to figure out why my app's TCP/IP connection keeps hiccuping every 10 minutes (exactly, within 1-2 seconds). I ran Wireshark and discovered that after 10 minutes of inactivity the other end is sending a packet with the reset (RST) flag set. A google search tells me "the RESET flag signifies that the receiver has become confused and so wants to abort the connection" but that is a little short of the detail I need. What could be causing this? And is it possible that some router along the way is responsible for it or would this always come from the other endpoint?

Edit: There is a router (specifically a Linksys WRT-54G) sitting between my computer and the other endpoint -- is there anything I should look for in the router settings?

+1 A:

Some firewalls do that if a connection is idle for x number of minutes. Some ISPs set their routers to do that for various reasons as well.

In this day and age, you'll need to gracefully handle (re-establish as needed) that condition.

Brian Knoblauch 2008-10-30 18:35:11

The connection is re-established just fine, the problem is that the brief period of disconnect causes an alert unnecessarily.

Luke 2008-10-30 18:41:58

I've had problems specifically with Cisco PIX/ASA equipment. They have especially short timeouts as defaults. The cheaper equipment is usually "better" in this regard (as in they don't timeout real fast)...

Brian Knoblauch 2008-10-30 18:54:46

+7 A:

A 'router' could be doing anything - particularly NAT, which might involve any amount of bug-ridden messing with traffic...

One reason a device will send a RST is in response to receiving a packet for a closed socket.

It's hard to give a firm but general answer, because every possible perversion has been visited on TCP since its inception, and all sorts of people might be inserting RSTs in an attempt to block traffic. (Some 'national firewalls' work like this, for example.)

Will Dean 2008-10-30 18:36:55

In short, the listener that's sending the RST packet does so because it wants to keep the connection open (not abort it), but have your end resend the last packet of data. This can happen if, for example, it receives an ACKnowledgement with the wrong sequence number.

You're correct that it isn't necessarily the endpoint - it could be a firewall or the like. If you suspect that this may be the case, run two instances of Wireshark (or tcpdump, or whatever) - one at each end - and compare them; if you see a RST in one that isn't in the other, then you'll need to dig into the intermediate points.

Alex 2008-10-30 18:40:59

What? Eh... NO! RST tears down a connection immediately. Nobody who sends RST wants to keep the connection open because the only thing that RST does is tear down a connection. It's what RST does and it's the only thing it does. (sequence number must be within window, but that's it). How did this answer become the accepted one?

Thomas 2010-07-02 20:55:28

Unfortunately, the first part of this answer ("the listener that's sending the RST packet does so because it wants to keep the connection open (not abort it)") is entirely incorrect. See, for example, http://www.faqs.org/docs/iptables/tcpconnections.html: "If the connection is reset by a RST packet, the state is changed to CLOSE. This means that the connection per default have 10 seconds before the whole connection is definitely closed down. RST packets are not acknowledged in any sense, and will break the connection directly."

mdb 2010-07-11 14:58:28

@Thomas Are you sure you are not thinking about the FIN flag, used for "finalizing" a connection? From what I understand the RST flag is basically only used for telling a client that the server does not want to accept a connection attempt i.e. as a response to a SYN flag.

bjarkef 2010-07-11 15:01:37

-1 RST packets *always* immediately tear down the connection, usually to indicate some sort of failure condition. Typically this means the side sending the RST got into some unexpected state in the TCP protocol, but it could also mean the socket was closed without all the received data being read from it -- the RST signals to the sender that data loss occurred. (See RFC 1122 section 4.2.2.13)

Paul Kuliniewicz 2010-07-11 15:22:59

@bjarkef: I'm sure. RFC793 and what Paul said.

Thomas 2010-07-12 17:11:00

+3 A:

Run a packet sniffer (e.g., Wireshark) also on the peer to see whether it's the peer who's sending the RST or someone in the middle.

Alexander 2008-10-30 20:01:01

+2 A:

If there is a router doing nat, especially a low end router with few resources it will age the oldest tcp sessions first. To do this it sets the rst flag in the packet that effectively tell the receiving station to very ungracefully close to connection. this is done to reserver sesources.

2009-07-23 14:21:48

+1 A:

RST is sent by the side doing the active close because it is the side which sends the last ACK. So if it receives FIN from the side doing the passive close in a wrong state, it sends a RST packet which indicates other side that an error has occured.

Vishal gupta 2010-07-11 14:52:28

Did you ever get this figured out? I can't comment because I don't have enough points, but I have the same exact problem you were having and I am looking for a fix.

Austin3D 2010-09-10 05:36:11

ansaurus

tags:

views:

answers:

What causes a TCP/IP reset (RST) flag to be sent?

related questions