Here are my notes from One Note after looking at your captures and diagrams; unfortunately the color coding I used won't carry over. I used the first pic as a reference. Please confirm the MAC addresses/IPs, traffic flow, and portions where I have a quetion mark so that I have a better understanding:
Code:
VMs (Exchange Server?)
IP: 172.16.10.7
MAC: 00:50:56:9c:5e:e7
GW: 172.16.10.2 (MAC: 9c:af:ca:64:2c:42?)
Workstation?
IP: 172.16.36.9
MAC: 00:1e:0b:3c:ab:ad?
GW: 172.16.36.5 (MAC: e8:b7:48:c9:3e:91?)
Traffic path from workstation? to VMs(Exchange Server?):
VLAN36, Workstation -> 172.16.36.5 -> VLAN918, 172.22.22.5 -> 172.22.22.4 -> VLAN 10, 172.16.10.2
Client pcap:
1. [FRAME 1]Traffic initiated from workstation? to VMs(Exchange Server?)
a. L2 Header: Ethernet II, Src: Hewlett-_3c:ab:ad (00:1e:0b:3c:ab:ad), Dst: Cisco_c9:3e:91 (e8:b7:48:c9:3e:91 - Workstation Default Gateway?)
2. Response from VMs(Exchange Server?)
a. L2 Header: Ethernet II, Src: Cisco_c9:3e:91 (e8:b7:48:c9:3e:91), Dst: Hewlett-_3c:ab:ad (00:1e:0b:3c:ab:ad)
<At frame 88 (First retransmit)>
MAC info is the same; seems correct
Retransmits appear to be sent when there is no response in ~299ms or greater
Server pcap:
1. [FRAME 1]Traffic initiated from workstation? to VMs(Exchange Server?)
a. L2 header: Ethernet II, Src: Cisco_1d:4c:11 (00:1c:f6:1d:4c:11), Dst: Vmware_9c:5e:e7 (00:50:56:9c:5e:e7)
2. Response sent to Workstation?
a. Ethernet II, Src: Vmware_9c:5e:e7 (00:50:56:9c:5e:e7), Dst: Cisco_64:2c:42 (9c:af:ca:64:2c:42 - VMs(Exchange Server?) Default Gateway?)
<At frame 72 (First retransmit)>
1. Retransmit sent due to no response in 307ms to frame 71
a. L2 header: Ethernet II, Src: Vmware_9c:5e:e7 (00:50:56:9c:5e:e7), Dst: Cisco_64:2c:42 (9c:af:ca:64:2c:42)
2. At 309ms from frame 71, in frame 73, ACK is sent in response to frame 71
So if you haven't noticed already, I don't see alot except:
1. In your server pcap, it shows the server sending traffic off subnet via what I assume is its default GW with MAC 9c:af:ca:64:2c:42?
2. However, in the beginning of the capture, it is receiving traffic from the workstation with source MAC 00:1c:f6:1d:4c:11.
Something there doesn't click. I would expect to see your server's default GW MAC be the source when receiving traffic from off-subnet. Can you please tell me what these MAC addresses are?
9c:af:ca:64:2c:42
00:1c:f6:1d:4c:11
It appears that the app is sensitive to around ~300ms with no response.
Are you sure this is a network problem? Looking at the time stamps on the server/client pcaps, it would appear that the server receives everything the client sends and vice versa. There is a ~4 second delta between the two, but that's probably just difference in clocks. Either that, or it has nothing to do with the problem anyway because the 4 second delta is present when you don't have retransmits.
This makes me believe the client isn't sending the ACK the server is looking for, so it retransmits. It's not like I see anything additional sent from the client capture and it's retransmitting anyway. Unless I'm missing something.
Register
Search 
Login
) Damn it ! :p
