Connection table entry removed after idle timer reaches tcp keep alive value

nitass can u help?

why is the connection table entry removed??

is there any FIN or RST? you are running tcpdump when testing, aren't you?

i was checking the connection table using show sys connection cs-client-addr all-properties

Should i run a tcpdump, what is the filter i need to use?

if you are running 11.2.0 or later, you may try this.

by the way, please make note the time when entry is removed from connection table. so, you can match it in the tcpdump file.

 tcpdump -nni 0.0:nnnp -s0 -w /var/tmp/output.pcap host x.x.x.x -v
x.x.x.x is client ip

sol13637: Capturing internal TMM information with tcpdump

i am running 11.1.0 HF9 and the time it gets removed corresponds to the keep alive interval i have set which is for 60secs

i am running 11.1.0 HF9

 tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap '(host x.x.x.x and host 6.6.6.6 and port 9041) or (host a.a.a.a and host b.b.b.b and port ccc)' -v

x.x.x.x is client ip
a.a.a.a is snat automap ip (floating self ip on server vlan)
b.b.b.b is pool member ip
ccc is pool member port

i am seeing a FIN Sent by the LTM VIP

How do i find out from the pcap if the server is sending it first, any specific filter i can apply on the wireshark to see it

you may run tcpdump with FIN and RST filter but i think it is good to capture all and filter in wireshark. anyway, there are some filter example here in case if you are interested.

A tcpdump Tutorial and Primer

in the frames before the LTM VIP sends a FIN, i do see the server sending a RST packet, could this be the cause??

may be. can you find out why serer sends reset?

if a RST is sent by the server, why should the VIP send a FIN, shouldn't the VIP also send a RST?