Forum Discussion

Zara_117183's avatar
Zara_117183
Icon for Nimbostratus rankNimbostratus
Mar 04, 2016

TCP RST sent after closing connection

Hi,

I use this http monitor GET /healthcheck.html HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n

but sometimes the Big-IP send a RST packet to the server after closing connection.

packet captures Big-IP side:

"2","2.310609","30.106.21.249","30.106.28.1","TCP","158","OUT s1/tmm0 : 50531 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1019319882 TSecr=0 WS=128"
"3","2.310917","30.106.28.1","30.106.21.249","TCP","162","IN  s1/tmm0 : http > 50531 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=8 SACK_PERM=1 TSval=535406092 TSecr=1019319882"
"4","2.311510","30.106.21.249","30.106.28.1","TCP","150","OUT s1/tmm0 : 50531 > http [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=1019319883 TSecr=535406092"
"5","2.311525","30.106.21.249","30.106.28.1","HTTP","230","OUT s1/tmm0 : GET /healthcheck.html HTTP/1.1 "
"6","2.311814","30.106.28.1","30.106.21.249","TCP","150","IN  s1/tmm0 : http > 50531 [ACK] Seq=1 Ack=81 Win=263456 Len=0 TSval=535406092 TSecr=1019319883"
"7","2.312667","30.106.28.1","30.106.21.249","HTTP","478","IN  s1/tmm0 : HTTP/1.1 200 OK  (text/html)"
"8","2.312960","30.106.28.1","30.106.21.249","TCP","150","IN  s1/tmm0 : http > 50531 [FIN, PSH, ACK] Seq=329 Ack=81 Win=263456 Len=0 TSval=535406092 TSecr=1019319883"
"9","2.313261","30.106.21.249","30.106.28.1","TCP","150","OUT s1/tmm0 : 50531 > http [ACK] Seq=81 Ack=329 Win=15744 Len=0 TSval=1019319885 TSecr=535406092"
"10","2.313264","30.106.21.249","30.106.28.1","TCP","150","OUT s1/tmm0 : 50531 > http [FIN, ACK] Seq=81 Ack=330 Win=15744 Len=0 TSval=1019319885 TSecr=535406092"
"11","2.313557","30.106.28.1","30.106.21.249","TCP","150","IN  s1/tmm0 : http > 50531 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535406092 TSecr=1019319885"
"12","2.313558","30.106.28.1","30.106.21.249","TCP","150","IN  s1/tmm0 : [TCP Dup ACK 111] http > 50531 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535406092 TSecr=1019319885"
"13","2.313590","30.106.21.249","30.106.28.1","TCP","206","OUT s1/tmm0 : 50531 > http [RST, ACK] Seq=82 Ack=330 Win=0 Len=42 [F5RST: TCP 3WHS rejected]"

I found this log on /var/log/ltm: RST sent from 30.106.21.249:39465 to 30.106.28.1:80, [0x1ecb7a7:1724] TCP 3WHS rejected

In this packet capture, we can see that big-ip sent RST packet after receiving a duplicate ACK.. Is this behavior normal?

packet captures server side:

"No.","Time","Source","Destination","Protocol","Length","Info"
"31","15.022157","30.106.21.249","30.106.28.1","TCP","78","50293 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1019159907 TSecr=0 WS=128"
"32","15.022181","30.106.28.1","30.106.21.249","TCP","82","http > 50293 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=8 SACK_PERM=1 TSval=535246142 TSecr=1019159907"
"33","15.023085","30.106.21.249","30.106.28.1","TCP","70","50293 > http [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=1019159907 TSecr=535246142"
"34","15.023093","30.106.21.249","30.106.28.1","HTTP","150","GET /healthcheck.html HTTP/1.1 "
"35","15.023098","30.106.28.1","30.106.21.249","TCP","70","http > 50293 [ACK] Seq=1 Ack=81 Win=263456 Len=0 TSval=535246142 TSecr=1019159907"
"36","15.024074","30.106.28.1","30.106.21.249","HTTP","398","HTTP/1.1 200 OK  (text/html)"
"37","15.024091","30.106.28.1","30.106.21.249","TCP","70","http > 50293 [FIN, PSH, ACK] Seq=329 Ack=81 Win=263456 Len=0 TSval=535246142 TSecr=1019159907"
"38","15.025204","30.106.21.249","30.106.28.1","TCP","70","50293 > http [FIN, ACK] Seq=81 Ack=330 Win=15744 Len=0 TSval=1019159909 TSecr=535246142"
"39","15.025214","30.106.28.1","30.106.21.249","TCP","70","http > 50293 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535246142 TSecr=1019159909"
"40","15.025216","30.106.21.249","30.106.28.1","TCP","70","[TCP Keep-Alive] 50293 > http [ACK] Seq=81 Ack=329 Win=15744 Len=0 TSval=1019159909 TSecr=535246142"
"41","15.025220","30.106.28.1","30.106.21.249","TCP","70","[TCP Keep-Alive ACK] http > 50293 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535246142 TSecr=1019159909"
"42","15.025719","30.106.21.249","30.106.28.1","TCP","100","50293 > http [RST, ACK] Seq=82 Ack=330 Win=0 Len=42"

Thank you for your help.

2 Replies

  • Hi Zara, these are not seemed the same session, because from bigip side src port 50531, from server side src port 50293
  • Hi farukaydin, Y're right.. here are two packet capture for the same session

    Big-IP Side:
    "12","5.221353","30.106.21.249","30.106.28.1","TCP","158","OUT s1/tmm0 : 32873 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1349922501 TSecr=0 WS=128"
    "13","5.221648","30.106.28.1","30.106.21.249","TCP","162","IN  s1/tmm0 : http > 32873 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=8 SACK_PERM=1 TSval=865996206 TSecr=1349922501"
    "14","5.222300","30.106.21.249","30.106.28.1","TCP","150","OUT s1/tmm0 : 32873 > http [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=1349922502 TSecr=865996206"
    "15","5.222306","30.106.21.249","30.106.28.1","HTTP","230","OUT s1/tmm0 : GET /healthcheck.html HTTP/1.1 "
    "16","5.222625","30.106.28.1","30.106.21.249","TCP","150","IN  s1/tmm0 : http > 32873 [ACK] Seq=1 Ack=81 Win=263456 Len=0 TSval=865996206 TSecr=1349922502"
    "17","5.223896","30.106.28.1","30.106.21.249","HTTP","478","IN  s1/tmm0 : HTTP/1.1 200 OK  (text/html)"
    "18","5.223900","30.106.28.1","30.106.21.249","TCP","150","IN  s1/tmm0 : http > 32873 [FIN, PSH, ACK] Seq=329 Ack=81 Win=263456 Len=0 TSval=865996206 TSecr=1349922502"
    "19","5.224589","30.106.21.249","30.106.28.1","TCP","150","OUT s1/tmm0 : 32873 > http [ACK] Seq=81 Ack=329 Win=15744 Len=0 TSval=1349922504 TSecr=865996206"
    "20","5.224593","30.106.21.249","30.106.28.1","TCP","150","OUT s1/tmm0 : 32873 > http [FIN, ACK] Seq=81 Ack=330 Win=15744 Len=0 TSval=1349922504 TSecr=865996206"
    "21","5.224924","30.106.28.1","30.106.21.249","TCP","150","IN  s1/tmm0 : http > 32873 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=865996206 TSecr=1349922504"
    "22","5.224929","30.106.28.1","30.106.21.249","TCP","150","IN  s1/tmm0 : [TCP Dup ACK 211] http > 32873 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=865996206 TSecr=1349922504"
    "23","5.225013","30.106.21.249","30.106.28.1","TCP","206","OUT s1/tmm0 : 32873 > http [RST, ACK] Seq=82 Ack=330 Win=0 Len=42 [F5RST: TCP 3WHS rejected]"
    

    Server Side:

    "31","6.02267","30.106.21.249","30.106.28.1","TCP","78","32873 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=101969907 TSecr=0 WS=128"
    "32","6.022181","30.106.28.1","30.106.21.249","TCP","82","http > 32873 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=8 SACK_PERM=1 TSval=535246142 TSecr=101969907"
    "33","6.023085","30.106.21.249","30.106.28.1","TCP","70","32873 > http [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=101969907 TSecr=535246142"
    "34","6.023093","30.106.21.249","30.106.28.1","HTTP","60","GET /healthcheck.html HTTP/1.1 "
    "35","6.023098","30.106.28.1","30.106.21.249","TCP","70","http > 32873 [ACK] Seq=1 Ack=81 Win=263456 Len=0 TSval=535246142 TSecr=101969907"
    "36","6.024074","30.106.28.1","30.106.21.249","HTTP","398","HTTP/1.1 200 OK  (text/html)"
    "37","6.024091","30.106.28.1","30.106.21.249","TCP","70","http > 32873 [FIN, PSH, ACK] Seq=329 Ack=81 Win=263456 Len=0 TSval=535246142 TSecr=101969907"
    "38","6.025204","30.106.21.249","30.106.28.1","TCP","70","32873 > http [FIN, ACK] Seq=81 Ack=330 Win=6744 Len=0 TSval=101969909 TSecr=535246142"
    "39","6.025214","30.106.28.1","30.106.21.249","TCP","70","http > 32873 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535246142 TSecr=101969909"
    "40","6.025216","30.106.21.249","30.106.28.1","TCP","70","[TCP Keep-Alive] 32873 > http [ACK] Seq=81 Ack=329 Win=6744 Len=0 TSval=101969909 TSecr=535246142"
    "41","6.025220","30.106.28.1","30.106.21.249","TCP","70","[TCP Keep-Alive ACK] http > 32873 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535246142 TSecr=101969909"
    "42","6.025719","30.106.21.249","30.106.28.1","TCP","100","32873 > http [RST, ACK] Seq=82 Ack=330 Win=0 Len=42"
    

    Thank you for your help. Zara