29

Host_A tries to send some data to Host_B over TCP. Host_B is listening on port 8181. Both Host_A & Host_B are Linux boxes (Red Hat Enterprise). The TCP layer is implemented using Java NIO API.

Whatever Host_A sends, Host_B is unable to receive. Sniffing the data on wire using WireShark resulted in the following log:

1) Host_A (33253) > Host_B (8181): [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=513413781 TSER=0 WS=7
2) Host_B (8181) > Host_A (33253): [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

The logs show that Host_A sends a [SYN] flag to Host_B in order to establish connection. But instead of [SYN, ACK] Host_B responds with an [RST, ACK] which resets/closes the connection. This behavior is observed always.

I am wondering under what circumstance does a TCP listener sends [RST,ACK] in response to a [SYN]?

Riyaz
  • 646
  • 2
  • 11
  • 15

2 Answers2

48

RST, ACK means the port is closed. You sure Host_B is listening on the right IP/interface?

Also check your firewall for a -j REJECT --reject-with tcp-reset

Erik
  • 88,732
  • 13
  • 198
  • 189
  • 6
    Thank you Erik. Actually the port is not closed. But found that the port 8181 is bound to 127.0.0.1 on Host_B rather than the actual IP. Looks like a misconfiguration of /etc/hosts. Does Java's InetAddress.getByName() prefers hosts file over DNS? – Riyaz Mar 15 '11 at 06:34
  • 2
    If the port is not bound to the IP you care about, then it is closed. Open ports are represented by the tuple (dst_ip,port), and you're trying to connect to one that isn't bound. Also, the various implementations of address resolution should behave in the order as specified in `/etc/nsswitch.conf`. – Nick Bastin Oct 11 '13 at 20:51
  • I m having same problem. I am using seagull tool, I gave correct ip in configuration, but is always binding on 127.0.0.1, What should i do ? – Subbu Jan 29 '15 at 07:32
  • 1
    RST means the port is *open* and nobody is listening. *No response* means the port is closed. Sending a response for a closed port would be an information leak to an attacker. – user207421 Apr 28 '16 at 21:38
  • 3
    @EJP In socket programming terms, `open` means that something is accepting packets on a port, whereas `closed` means packets are either being rejected (aka `RST`) or ignored completely, usually due to a firewall. In firewall or system administrator terms, your definition can be used. Considering this was asked on stackoverflow, and not on a sysadmin stackexchange, my answer uses programming terms. – Erik Apr 29 '16 at 07:34
  • @Eric Socket programming is about sockets, not ports. An open port is a firewall term. An open *socket* may mean an unconnected socket, or a listening socket, or a connected socket, or a socket which has encountered a fatal error that hasn't been closed yet by the application. It does *not* just refer to an open listening *port.* And in socket programming terms a closed port ceased to exist, not just be 'closed'. Your answer is couched in firewall terms, not socket programming terms. – user207421 Aug 02 '17 at 07:18
  • I found another scenario, albeit less common, where this happens. When you use SO_BINDTODEVICE socket option and bind to an interface, which no longer exists, or is recreated after bind is complete, you will end with the same behavior. What is worse is that it is harder to debug since netstat and other debug tools will show that the server is listening on the port bound to the right interface but keeps rejecting packets from the client. – Sriharsha Madala Apr 10 '19 at 21:52
0

It happened to me because I did not set sockaddr_in.sin_family to AF_INET, in the server c++ program.

zbz.lvlv
  • 3,597
  • 6
  • 34
  • 38