Forum Discussion
BIGIP resets connecion
- Oct 11, 2022
Hello,
what great news, that it is working now. I think you can extract the headers and value pairs and check them by yourself and compare header names and values with RFC.
For example, the following HTTP request from the client causes the connection to be reset:
POST /web/page HTTP/1.1
Accept: */*
aaabbbccc
Cache-Control: no-cache
Content-Length: 438Note: The aaabbbccc header is malformed because it does not conform to the name: value syntax.
Using another example, the following HTTP request from the client also causes the connection to be reset:
POST /web/page HTTP/1.1
Accept: */*
aaabbbccc :
Cache-Control: no-cache
Content-Length: 438Note: If there is a white space between the field name (aaabbbccc) and colon (:), then the request fails and the system considers it to be malformed. Full details about HTTP header restrictions are described in IETF RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing.This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.
Reference: https://support.f5.com/csp/article/K38905534
Unfortunately, it is not mentioned in any of F5 articles how to check for the malformed header and know the header specifically, so you can check it by yourself by getting all of the header names and values.
BR,
Mohamed Salah
Hello,
For the RST logging, you mentioned that it is enabled, so please check the below article for checking the statistics and an example of the log messages.
https://support.f5.com/csp/article/K13223
if you didn't find any log entries regarding the issue, you can start generating a tcpdump (Packet capture) using a command like the below on bash:
#tcpdump -nnnveti 0.0:nnnp host "filter by an IP" and port "add port" -s0 -S -w /var/log/pcapname.pcap
Example:
tcpdump -nnnveti 0.0:nnnp host 172.20.10.1 and port 443 -s0 -S -w /var/log/pcapname.pcap
and then the cause might be mentioned in the generated file as per the below exmaple:
If the traffic is encrypted, and you are making SSL ofloading on F5, you can check the below link to decrypt the traffic in the capture.
https://support.f5.com/csp/article/K12783074
BR,
Mohamed Salah
- Oct 10, 2022
You may need to check the below article also for getting the root cause in the packet capture.
https://support.f5.com/csp/article/K89012646
- T5COct 10, 2022Altocumulus
I've checked it is reseted because "Malformed HTTP header error". I suspect specific header but would like to be sure that it is because of that header - how to check which http header caused an error/is it possible to display such information ?
- Oct 10, 2022
Hello,
as per the below article "Beginning BIG-IP 12.0.0 HTTP profile enforces strict header checks. HTTP request or response that does not conform to RFC 7230, will be considered a malformed HTTP header and the BIG-IP system will reset the connection."
https://support.f5.com/csp/article/K66202369
the work around mentioned is to user trasparent http profile, which is:
"The Transparent Proxy Mode enables the BIG-IP system to forward invalid HTTP traffic to a specified server, instead of dropping the connection. By configuring an HTTP profile to forward invalid HTTP traffic, you can manage various atypical service provider scenarios, such as HTTP traffic from non-browser clients that function as web browsers."
Also, take a look at these links:
https://support.f5.com/csp/article/K54310202
https://support.f5.com/csp/article/K52671508
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com