BIGIP resets connecion

Hello Team

How to check what's the reason for resetting connection from F5 in this situation: F5 receives from server 'application/octet-stream' http first packet, acknoledges it and then sends rst to client and server. When rst logging is enabled (sys db tm.rstcause.log value enable) in logs there's no information regarding what causes reset that connection. There's no ASM module provisioned also. Why F5 would send reset to client and then to server ? Is there another command / log switch which can show this reason ?

Regards, TC

application delivery

devops

Mohamed_Salah_
Oct 11, 2022
Hello,
what great news, that it is working now. I think you can extract the headers and value pairs and check them by yourself and compare header names and values with RFC.
For example, the following HTTP request from the client causes the connection to be reset:
POST /web/page HTTP/1.1
Accept: */*
aaabbbccc
Cache-Control: no-cache
Content-Length: 438
Note: The aaabbbccc header is malformed because it does not conform to the name: value syntax.
Using another example, the following HTTP request from the client also causes the connection to be reset:
POST /web/page HTTP/1.1
Accept: */*
aaabbbccc :
Cache-Control: no-cache
Content-Length: 438
Note: If there is a white space between the field name (aaabbbccc) and colon (:), then the request fails and the system considers it to be malformed. Full details about HTTP header restrictions are described in IETF RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing.This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.
Reference: https://support.f5.com/csp/article/K38905534

Unfortunately, it is not mentioned in any of F5 articles how to check for the malformed header and know the header specifically, so you can check it by yourself by getting all of the header names and values.
BR,
Mohamed Salah

Mohamed_Salah_
MVP
Oct 10, 2022
Hello,
For the RST logging, you mentioned that it is enabled, so please check the below article for checking the statistics and an example of the log messages.
https://support.f5.com/csp/article/K13223

if you didn't find any log entries regarding the issue, you can start generating a tcpdump (Packet capture) using a command like the below on bash:
#tcpdump -nnnveti 0.0:nnnp host "filter by an IP" and port "add port" -s0 -S -w /var/log/pcapname.pcap
Example:
tcpdump -nnnveti 0.0:nnnp host 172.20.10.1 and port 443 -s0 -S -w /var/log/pcapname.pcap
and then the cause might be mentioned in the generated file as per the below exmaple:
If the traffic is encrypted, and you are making SSL ofloading on F5, you can check the below link to decrypt the traffic in the capture.
https://support.f5.com/csp/article/K12783074
BR,
Mohamed Salah
- Mohamed_Salah_
  MVP
  Oct 10, 2022
  You may need to check the below article also for getting the root cause in the packet capture.
  https://support.f5.com/csp/article/K89012646
  - T5C
    Altocumulus
    Oct 10, 2022
    I've checked it is reseted because "Malformed HTTP header error". I suspect specific header but would like to be sure that it is because of that header - how to check which http header caused an error/is it possible to display such information ?
T5C
Altocumulus
Oct 11, 2022
Hello,
When http profile is changed to http transparent - everything works OK. (it looks that header which was suspicious has the same value on another environment on different device - and on that device everything is working fine).
How to check what header is malformed ? Is there any way to debug it ?
- Mohamed_Salah_
  MVP
  Oct 11, 2022
  Hello,
  what great news, that it is working now. I think you can extract the headers and value pairs and check them by yourself and compare header names and values with RFC.
  For example, the following HTTP request from the client causes the connection to be reset:
  POST /web/page HTTP/1.1
  Accept: */*
  aaabbbccc
  Cache-Control: no-cache
  Content-Length: 438
  Note: The aaabbbccc header is malformed because it does not conform to the name: value syntax.
  Using another example, the following HTTP request from the client also causes the connection to be reset:
  POST /web/page HTTP/1.1
  Accept: */*
  aaabbbccc :
  Cache-Control: no-cache
  Content-Length: 438
  Note: If there is a white space between the field name (aaabbbccc) and colon (:), then the request fails and the system considers it to be malformed. Full details about HTTP header restrictions are described in IETF RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing.This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.
  Reference: https://support.f5.com/csp/article/K38905534
  
  Unfortunately, it is not mentioned in any of F5 articles how to check for the malformed header and know the header specifically, so you can check it by yourself by getting all of the header names and values.
  BR,
  Mohamed Salah
  - T5C
    Altocumulus
    Oct 31, 2022
    Hello
    One of http headers was set by appication server with inappropriate value without ending \r\n, only \r.
    After impementing changes by application team now it works great.
    BR,
    TC.