How do I view which rule closed a TCP connection?

Question

We are trying to troubleshoot an issue that is very puzzling to us.  The symptom...when we fail over to another site of ours with F5 configs fully sync'd with the working size we see TCP resets originating from the F5 itself.  This is a VIP for our externally hosted/cloud-based external mail provider (ProofPoint) and when this happens mail to/from outside our company is severely delayed.&nbsp;
My question for this forum is is there a log or something somewhere that I can watch that will tell me a rule that his triggered that closes TCP connections?  NOTE:  This only happens from one of our F5's, when it is running on our the F5 it is now it works fine.&nbsp;

ed_summers · Answer

You've checked all the basic issues such as connectivity (routing, ACLs, etc.) and verified that the resets are indeed originating from the BIG-IP? K9812 reviews some common reasons for resets from BIG-IP.&nbsp;
K13233 describes how to enable logging to /var/log/ltm or inside the TCP RST packet itself. Note the warnings about performance degradation and consider your environment.&nbsp;
K13637 describes how to increase the 'noise level' in a tcpdump from BIG-IP. The 'medium' details includes the reset cause.&nbsp;

Forum Discussion

How do I view which rule closed a TCP connection?

1 Reply

Recent Discussions

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

Related Content

Help with upstream prematurely closed!

Ending an APM session when browser tab is closed

Mystical Connection Close - without logs, after stress test.

Securely connecting Kubernetes Microservices with F5 Distributed Cloud

Troubeshooting website connection