FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mpandya
Staff
Staff
Article Id 269330
Description This article describes how to analyze TCP RST (Reset) packets in Wireshark.
Scope FortiGate.
Solution

Scenario :

It is not possible to access RDP for whole network.
 

Diagram:

 

dia.png

Solution:

Always perform packet capture for TCP connection and review it on Wireshark.

 

Start by selecting the RST packet in the packet capture and 'right-clicking' it. Choose 'Conversation filter' and then select TCP.  This filters the packets for the selected conversation to aid in troubleshooting.

 

In the packet capture, it is possible to observe that the client sends an SYN packet for the TCP handshake but receives an RST packet from the server.

 

To further investigate the source of the RST packet, focus on the IP header. It is expanding the IP header data portion in Wireshark to access the TTL (Time To Live) value.


Typically, TTL values are 255, 168, and 64, among others. These values represent the number of hops a packet can make before being discarded. In this case, a TTL value of 64 indicates that the packet was not routed, as it didn't decrement during hops.


Screenshot 2023-08-18 135831.png

 

RST_FW.png

 

Analyze the layer-2 header and identify the source MAC address. From the source MAC address, it is determined that the FortiGate firewall is responsible for sending the RST packet.

 

eth_rst_fw.png

 

fw_interface.png

 

By disabling the specific rule, it was possible to resolve the issue, and subsequent access to the RDP (Remote Desktop Protocol) was established without any problems.

 

FW_rule.png

 

This detailed analysis highlights the process followed to identify the source of the RST packet and its resolution.

Comments
sashish
Staff
Staff

Nice article Mehul. 

Contributors