I have a server that keeps reporting RSTs being sent out,
as if someone is hitting ports that aren't open.  The problem
is, every port that isn't open is firewalled off, so I theoretically
shouldn't be sending these.

I know about them from Virtual Adrian, which keeps telling me:

Adrian detected TCP/IP problem (amber): Mon Apr  2 18:09:32 2007
Incoming connection refused: invalid port, RST sent
 tcpIn    tcpOut  InConn/s OutConn/s   %Retran ListenDrop/s Reset/s Attempt/s
 710931    940257      4.46     17.14      0.08      0.00    0.53    0.00 

Obviously the numbers change....

netstat -s also shows Rst's being sent out, at a rate of around
a dozen or two per minute.


The machine is a reasonably busy web server, is there a chance
that its not keeping up with web connections and sending some 
clients RSTs?  I'm not hitting my max processes of Apache though,
so that doesn't sound very likely.  But when I did try snoop to
look for RSTs, they do seem to be web related.  I can
see things like:

mymachine -> X.X.X.X TCP D=33069 S=443 Rst Seq=3136718028 Len=0 Win=48351

Are there any "normal" reasons that a web server would send a client
a RST?  Even without maxing out Apache processes?


Thanks,


-- 
Scott Wilson                    Lead System Administrator
swilson@uchicago.edu            NSIT - DCS - SeaSol

On Apr 3, 12:21 am, swil...@tiki.uchicago.edu (Scott Wilson) wrote:

>
> The machine is a reasonably busy web server, is there a chance
> that its not keeping up with web connections and sending some
> clients RSTs?  I'm not hitting my max processes of Apache though,
> so that doesn't sound very likely.  But when I did try snoop to
> look for RSTs, they do seem to be web related.  I can
> see things like:
>
> mymachine -> X.X.X.X TCP D=33069 S=443 Rst Seq=3136718028 Len=0 Win=48351
>
> Are there any "normal" reasons that a web server would send a client
> a RST?  Even without maxing out Apache processes?

There can be lots of reasons for this, for instance if one end has
dropped the connection (here your end) but the other end does not know
this (yet) for whatever reason.

A good approach is to run snoop to a file on the port of interest for
a bit, then look for an RST and trace back from that to see what
happened, using ethereal (or just snoop, but ethereal makes this kind
of thing easy).