FAQ-Service Was Interrupted Due to TCP Checksum Error

Publication Date:  2015-07-02 Views:  412 Downloads:  0
Issue Description
As shown in Figure 4-2, the client was able to ping the server and telnet to port 7001 on the server. The system software vendor said that the client was able to access the server as long as the client was able to telnet to port 7001. However, the client was unable to start. The password dialog box was not displayed and the client was stuck at the user name dialog box. After the USG was replaced by a D-Link router, the client was able to access the server.

Figure 4-1 Networking diagram




The client accesses the Internet and the server through the NAT function on the USG.
Handling Process
1. The packets on the client were analyzed. The result indicated that the TCP checksum was incorrect and the packets were discarded, interrupting services. After the USG was replaced by a D-Link router, the TCP checksum of packets returned by the server was correct. 



2. The checksum might be incorrect when the firewall received the packets or after NAT was performed on the firewall. The packets of both the inside and outside interfaces of the firewall were analyzed. The result indicated that the TCP checksum was incorrect when the firewall received the packets from the server. 



3. The analysis of the packets on the inside and outside interfaces of the USG and D-Link router indicated that the port was not changed after NAT on the D-Link router but the port was changed from four digits to five digits on the USG after NAT. The checksum error might be caused by the port change during NAT.

4. After global NAT server was configured on the client, services were normal and the checksum of the packets from the server was correct.



5. A test was performed to verify whether the port translation caused the checksum error. The result indicated that checksum error occurred only when the post-NAT source port number exceeds 61170. Therefore, the checksum was not caused by port translation.

6. After the post-NAT port range was configured using the nat port range 12288 61100 command, the fault was resolved.
Root Cause
Tests were performed and the result indicated that when the post-NAT source port exceeded 61170, the packets from the server arrived on the USG with a checksum error. The incorrect checksum might be calculated on the server or the intermediate NAT device. 
Suggestions
Pay attention to the correctness of fields in the IP and TCP/UDP headers during fault isolation. 

END