CAX 80 injecting malformed TCP RSTs

Question

I have a CAX80 that appears to be actively interfering with and terminating encrypted TLS connections by injecting malformed TCP Reset (RST) packets. This occurs even with the following disabled:

IPv4 Firewall
DoS Protection
SIP ALG
Protection Engine

Is there somewhere else I'm missing?

A little context:

I've noticed this happen on occasion when using OpenVPN AS web interface, as I admin my company's VPN at times. But it was only an occasional nuisance. Now I'm working with an AI agent, and I have to constantly retry due to this, upwards of 20-30 times sometimes, which also causes the agent to lose track of what is was in the middle of doing, but eventually the retry will work. However, if I create an SSH tunnel, and launch the agent that way, it works flawlessly (presumably because the tunnel is masking some signature from the router that causes it to insert these packets, i.e., it's not watching traffic over tcp:22, but is doing so over tcp:443).

tcpdumps taken from my laptop connected to the CAX80 show the following signature:

A TCP RST (Reset) packet is received.
The RST packet contains 6 bytes of zero-filled payload (00 00 00 00 00 00).
- Standard TCP RST packets should have a 0-byte payload.

The TTL (Time To Live) of these RST packets is 102, while the remote server (daily-cloudcode-pa.googleapis.com) packets arrive with TTL ~118. This proves the packets are generated locally by the CAX80, not the remote server.

Some of the behaviors I've observed through the tcpdumps:

With Protection Engine enabled: Connection is reset immediately.

With everything disabled: Connection hangs for a few seconds, then is flooded with the exact same 6-byte RST packets (TTL 102).

So is this just a firmware/hardware bug at this point? Or is there something else I'm missing that needs to be disabled for it to stop injecting these RSTs?

The only other thing I can think of is to put the thing in bridge mode, then go buy a different wi-fi router.

FURRYe38 · Answer

What FW version is loaded on the CAX80?
Is your laptop wireless or ethernet connected?&nbsp;
Brand and model# of the wireless or ethernet adapter on the laptop?
Drivers for adapters up to date?&nbsp;
Which ISP are you connected too?&nbsp;
Happens with a different PC or laptop?&nbsp;
Wireless configuration on the CAX80?
&nbsp;

schplat · Answer

What FW version is loaded on the CAX80?&nbsp;v5.1.1.8&nbsp;Is your laptop wireless or ethernet connected?&nbsp;&nbsp;Wireless&nbsp;Brand and model# of the wireless or ethernet adapter on the laptop?&nbsp;$ sudo lspci -v -s 00:14.3 00:14.3 Network controller: Intel Corporation Alder Lake-P PCH CNVi WiFi (rev 01) Subsystem: Intel Corporation Dual Band Wi-Fi 6E(802.11ax) AX211 160MHz 2x2 [Garfield Peak] Flags: bus master, fast devsel, latency 0, IRQ 16, IOMMU group 13 Memory at 618d1d4000 (64-bit, non-prefetchable) [size=16K] Capabilities: [c8] Power Management version 3 Capabilities: [d0] MSI: Enable- Count=1/1 Maskable- 64bit+ Capabilities: [40] Express Root Complex Integrated Endpoint, IntMsgNum 0 Capabilities: [80] MSI-X: Enable+ Count=16 Masked- Capabilities: [100] Latency Tolerance Reporting Capabilities: [164] Vendor Specific Information: ID=0010 Rev=0 Len=014 &lt;?&gt; Kernel driver in use: iwlwifi Kernel modules: iwlwifi&nbsp;Drivers for adapters up to date?&nbsp;&nbsp;$ sudo dmesg | grep iwl | grep -m 1 firmware [ 5.046536] iwlwifi 0000:00:14.3: loaded firmware version 89.df9556fc.0 so-a0-gf-a0-89.ucode op_mode iwlmvm $ modinfo iwlwifi | grep ^filename filename: /lib/modules/6.18.7-arch1-1/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko.zst&nbsp;Which ISP are you connected too [sic}?&nbsp;Xfinity&nbsp;Happens with a different PC or laptop?&nbsp;&nbsp;Hard to reproduce, the things that I can use to reproduce are tied to my work, and my laptop is the only thing that can interface with work resources at that level.&nbsp; I can connect to my phone hotspot, disconnect the phone from WiFI, and the problem goes away.&nbsp;Wireless configuration on the CAX80?&nbsp;Forums not letting me post a screenshot.&nbsp; AX enabled, Smart Connect disabled, 2.4GHz Enabled, WPA2-PSK [AES}, 5 GHz enabled, different SSID than 2.4, same security settings.

schplat · Answer

Oops, meant to reply to you, my reply is below.&nbsp; And seeing if the code blocks clean up:$ sudo dmesg | grep iwl | grep -m 1 firmware
[ 5.046536] iwlwifi 0000:00:14.3: loaded firmware version 89.df9556fc.0 so-a0-gf-a0-89.ucode op_mode iwlmvm
$ modinfo iwlwifi | grep ^filename
filename: /lib/modules/6.18.7-arch1-1/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko.zst&nbsp;and&nbsp;$ sudo lspci -v -s 00:14.3
00:14.3 Network controller: Intel Corporation Alder Lake-P PCH CNVi WiFi (rev 01)
	Subsystem: Intel Corporation Dual Band Wi-Fi 6E(802.11ax) AX211 160MHz 2x2 [Garfield Peak]
	Flags: bus master, fast devsel, latency 0, IRQ 16, IOMMU group 13
	Memory at 618d1d4000 (64-bit, non-prefetchable) [size=16K]
	Capabilities: [c8] Power Management version 3
	Capabilities: [d0] MSI: Enable- Count=1/1 Maskable- 64bit+
	Capabilities: [40] Express Root Complex Integrated Endpoint, IntMsgNum 0
	Capabilities: [80] MSI-X: Enable+ Count=16 Masked-
	Capabilities: [100] Latency Tolerance Reporting
	Capabilities: [164] Vendor Specific Information: ID=0010 Rev=0 Len=014 &lt;?&gt;
	Kernel driver in use: iwlwifi
	Kernel modules: iwlwifi&nbsp;

FURRYe38 · Answer

What FW version is loaded on the CAX80?
&nbsp;
Drivers for adapters up to date? There a driver version?&nbsp;
Which ISP are you connected too?&nbsp;
Happens with a different PC or laptop?&nbsp;
Wireless configuration on the CAX80?

schplat · Answer

What FW version is loaded on the CAX80?&nbsp;v5.1.1.8&nbsp;Drivers for adapters up to date? There a driver version?&nbsp;&nbsp;It's built into the kernel, so the driver versions align with the kernel version.&nbsp; A kernel update is available, but this has been happening for a while, over many previous kernel versions.&nbsp; I can go from 6.18.7 -&gt; 6.18.9, but I would have to dig through kernel change log to see if the drivers have been touched in that time.$ sudo pacman -Qo /lib/modules/6.18.7-arch1-1/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko.zst
/usr/lib/modules/6.18.7-arch1-1/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko.zst is owned by linux 6.18.7.arch1-1&nbsp;If you want to suggest an alternate linux driver, so long as it has DKMS, I should be able to install it no problem.&nbsp;&nbsp;Which ISP are you connected too?&nbsp;&nbsp;Xfinity&nbsp;Happens with a different PC or laptop?&nbsp;Difficult to reproduce, as it's only happening against resources I have access to from my work laptop.&nbsp; I can't access the same resources from my PC.&nbsp; I can however, put my laptop on my phone's hotspot, disconnect the phone from WiFI, and the problem goes away.Wireless configuration on the CAX80?&nbsp;AX enabledSmart Connect disabled2.4GHz enabledWPA2-PSK [AES]5GHz enabled (separate SSID)WPA2-PSK [AES]

Forum Discussion

CAX 80 injecting malformed TCP RSTs

5 Replies