Need help deciphering this tcpdump / resets from F5

Question

Network connectivity is in place between F5 and server, but I can't telnet to server on 80/443 and healthchecks are failing. If I remove healthcheck I can hit VIP from browser and webpage comes up ok, so I know web services are responding.&nbsp;
.206 is the server, .6 is the F5.&nbsp;
 &nbsp;
11 17:05:22.983153 802.1Q vlan20 P0 10.229.192.206.https &gt; 10.229.148.6.38538: . ack 3045850159 win 5792  (DF)&nbsp;
...&nbsp;
17 17:06:05.032041 802.1Q vlan20 P0 10.229.148.6.38538 &gt; 10.229.192.206.https: S 2979154442:2979154442(0) win 5840  (DF)&nbsp;
18 17:06:05.032041 802.1Q vlan20 P0 10.229.192.206.https &gt; 10.229.148.6.38538: . ack 1 win 5792  (DF)&nbsp;
19 17:06:05.032041 802.1Q vlan20 P0 10.229.148.6.38538 &gt; 10.229.192.206.https: R 3045850159:3045850159(0) win 0 (DF)&nbsp;
20 17:06:20.221667 802.1Q vlan20 P0 10.229.148.6.37495 &gt; 10.229.192.206.http: S 2936484771:2936484771(0) win 5840  (DF)&nbsp;
21 17:06:20.221667 802.1Q vlan20 P0 10.229.192.206.http &gt; 10.229.148.6.37495: . ack 176362648 win 5792  (DF)&nbsp;
22 17:06:20.221667 802.1Q vlan20 P0 10.229.148.6.37495 &gt; 10.229.192.206.http: R 176362648:176362648(0) win 0 (DF)&nbsp;
 &nbsp;
The way I read this, and I could be way off, is at line 17 the LB does healthcheck to server, we see a Syn. Then line 18 is the servers ack to that syn. Line 19 is a reset from a previous ack on line 11 from the server.&nbsp;
Then line 20, LB syn to server, line 21 is server ack, then line 22 LB resets the server ack? Anyone have any ideas what is going on here? No funky profiles/irules/etc on this vip/pool, pretty generic setup.&nbsp;
 &nbsp;

what_lies_bene1 · Answer

What health monitors are you using? TCP Half Open? If so, this looks normal. Also, are there any source IP address restrictions configured on the server?

luca_55898 · Answer

Yeah I think the resets are part of the normal operation.... The LTM sends a reset after the ack so it doesn't keep unnecessary sessions open which consumes resources on the server...   
&nbsp;  
&nbsp; What is the health check? 
&nbsp; Is your server doing HTTPS?

matt_70198 · Answer

We are using the normal http and https healthchecks. I was able to open a second session on the load balancer and capture traffic on the interface a little better.&nbsp;
16:48:06.687386 10.229.148.7.35891 &gt; 10.229.192.206.http: S 104961729:104961729(0) win 5840  (DF)&nbsp;
&nbsp;
16:48:06.688099 10.229.192.206.http &gt; 10.229.148.7.35891: S 794931445:794931445(0) ack 2103057099 win 5792  (DF)&nbsp;
&nbsp;
16:48:06.688342 10.229.148.7.35891 &gt; 10.229.192.206.http: R 2103057099:2103057099(0) win 0 (DF)&nbsp;
 &nbsp;
We figured it out though, LB sent traffic to FW, and on to server, then server was sending return traffic back an asymetric path not through FW (it's a messed up environment). Had to add a static route on server and all was good.&nbsp;
 &nbsp;

Forum Discussion

Need help deciphering this tcpdump / resets from F5

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

8. SYN Cookie: Troubleshooting tcpdump

Decrypting TLS with the tcpdump sslprovider

BIGIP resets connecion

Tcpdump Capture

decrypted tcpdump capture without using an iRule using tshark