F5 LTM Sending ACK to a RST,ACK on its own with only routing+nat configured

Thanks, we use a simple 1 to 1 NAT, not a Forwarding-ip VS,what about this configuration ? In our captures we see those packets only on the server, and the source mac address is the BIA of the last hop router, so in order to view the actual source we must do a SPAN session in frontend VLAN. Thanks

I will actually have to test to be sure if a simple NAT is stateful, my guess would be "partially". It would be stateful in that it will simply discard packets that obviously don't match the flow (for TCP, this would be things like invalid sequence or ack numbers), but even at this, I don't think the LTM will send RST packets on it's own. It normally silently drops mismatched packets, or they get handled by some other listener/policy on the box.

Not sure what a "SPAN" is, but if you sit at the F5 and run an appropriate capture (filter for target IP only, and capture on all interfaces) and you don't see the packet leaving the F5, then think about the devices that are between the F5 and the target server, and see if any one of them is proxying the connection. One way to detect proxied connections is to send establish a connection, capture it at the point of origin, and compare the TCP parameters there with the TCP parameters at the destination. If they are unchanged, then it's likely not proxied.

SPAN is refered to as mirroring a port in/out to another port.

Thanks Fanen, the packets are identical both on source and destination, only those 2 packet are missing. On F5 we capture the traffic with destination host filter. We'll do a new capture using a span session on catalyst 6500, i think the ACK is generated by the firewall at this point. But the "core issue" is understand why with no nat and no firewall the server correctly close the sessions (FIN, FIN-ACK,ACK) and with F5 + Firewall we have this issue. Has anyone ever encountered this kind of problem ? Thanks

If the applications do not indicate any error conditions, then the fact that connections terminate with an RST does not necessarily mean that it is "wrong". It could simply be something like a branch of code gets executed that "exits" without calling "tcp_close". If you've every played around with programming, imagine a small program that opens a socket and sends data, and then exits without closing the file/socket -- the operating system will clean up, and I reckon it will simply call "tcp_abort" which is essentially to send a RST. Anyway, this is just me theorizing. The app developer will be best placed to answer why an RST is sent.