Forum Discussion
NimbostratusFinding Source IP in Log Files
Supposed on the firewall tcp resets are seen between a source IP x.x.x.x and the VIP y.y.y.y on a particular time and date. Which ltm logs would I view to find the related information? /var/log/ltm files does not seem to contain that type of information.
Samir_Jha_52506Noctilucent
It will be very difficult to gather information/logs without clear
?traffic flow-
Firewall comes first then LB--> In that case you will
find any session towards VIP...not -
LB comes first then firewall --> In that case, capture packet to see the flow...
- SIP_354925
Thanks for your response. Our traffic is FW --> LB. From what you are saying I will not find any events for VIPS. I still do not understand why not?
-
youssef1Cumulonimbus
Hello SIP.
First you have to know that /var/log/ltm contains log messages generated by the BIG-IP system. This files can contain too logs generated by your Irule (when you use "log logal0.") https://support.f5.com/csp/article/K16197
But if you have tcp reset from F5 by default it is not logged. It can come from many different things (TCP 3WHS rejected, TCP RST from remote system, RST from BIG-IP internal Linux host, Flow expired ...).
So when you have this kind of behaviour you can configure the BIG-IP system to log the reasons for generating the TCP RST packets to the /var/log/ltm log file.
tmsh modify /sys db tm.rstcause.log value enable modify /sys db tm.rstcause.pkt value enableThen you can see all reset logs in /var/log/ltm.
https://support.f5.com/csp/article/K13223
but it is not advisable to leave these logs activated all the time. they must be left only during the investigation period.for reasons of performance and log accumulation.
Let me now if it's clear for you.
Regards
- Peter_Baumann
Cirrostratus
tcpdump -nni 0.0 host
-> Then you will see if you have SYN Requests or complete TCP sessions etc...
