Forum Discussion

newf5learner_13's avatar
Icon for Nimbostratus rankNimbostratus
Nov 20, 2015

connection resets happening to web services servers when clients uses load balanced url. Need help to capture traffic.


I'm seeing complaints saying that there are intermittent resets happening when the client uses load balanced url. Out of 60 web request sent from clients in 30 minutes, 8 to 9 requests were getting dropped intermittently. And I'm asked to identify the issue with resets and root cause.

Here is the configuration of the VIP. can someone suggest me the best way to capture the traffic when the resets happen. Bear in mind, I cannot run tcpdump for all the 30 minutes as it could generate a huge log file or pcap file. Please suggest me the appropriate procedure or tcpdump commands that I can use to capture the traffic when resets happen and I can give them the reason behind the that resets - can use ringdump process (I don't know how to do it though). Please suggest. thanks.

ltm virtual vs_gpdef_app_amvescap_ha {
    ip-protocol tcp
    persist {
        simple-18000 {
            default yes
    pool pool_GPDEF_app_amvescap_ha
    profiles {
        tcp-gccp { }
    source-address-translation {
        type automap
    vs-index 66

ltm pool pool_GPDEF_app_amvescap_ha {
    members { {
            session monitor-enabled
            state up
        } {
            session monitor-enabled
            state up
    monitor http

ltm profile tcp tcp-gccp {
    abc enabled
    ack-on-push disabled
    app-service none
    close-wait-timeout 5
    cmetrics-cache enabled
    congestion-control high-speed
    defaults-from tcp
    deferred-accept disabled
    delayed-acks enabled
    dsack disabled
    ecn disabled
    fin-wait-timeout 5
    idle-timeout 2000
    ip-tos-to-client 0
    keep-alive-interval 1800
    limited-transmit enabled
    link-qos-to-client 0
    max-retrans 8
    md5-signature disabled
    md5-signature-passphrase none
    nagle enabled
    pkt-loss-ignore-burst 0
    pkt-loss-ignore-rate 0
    proxy-buffer-high 16384
    proxy-buffer-low 4096
    proxy-mss disabled
    proxy-options disabled
    receive-window-size 32768
    reset-on-timeout enabled
    selective-acks enabled
    send-buffer-size 32768
    slow-start enabled
    syn-max-retrans 3
    time-wait-recycle enabled
    time-wait-timeout 2000
    timestamps enabled
    verified-accept disabled
    zero-window-timeout 20000

2 Replies

  • nathe's avatar
    Icon for Cirrocumulus rankCirrocumulus

    You can get the BIG-IP to log why it's sent RSTs and that might help. See SOL13223: Configuring the BIG-IP system to log TCP RST packets

    As another option this tcpdump command will only look for RST packets - this should show where the rst is coming from.

    To view all packets that are traveling through the BIG-IP system that contain the RST flag, type the following command:
    tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'

    Hope this helps,


  • thanks. other than the command to capture the resets (the above command is not working - I tired multiple times on a busy LTM), can you please suggest how to capture traffic using some compound statements using source, destination servers and on port 80.

    I have even tried this

    tcpdump '( tcp[tcpflags] & (tcp-rst) != 0) and host'     but I'm seeing no traffic even though I reset the connection from browser. 
    tcpdump -ni 0.0 src host and '(dst host or dst host' 
 is the Internal self IP address which is interacting with servers. however its capturing the health monitor traffic also. Please suggest me how to filter out only my active client connection related traffic but not the health monitor one.

    Please suggest. thanks.