Forum Discussion
Need help deciphering this tcpdump / resets from F5
Network connectivity is in place between F5 and server, but I can't telnet to server on 80/443 and healthchecks are failing. If I remove healthcheck I can hit VIP from browser and webpage comes up ok, so I know web services are responding.
.206 is the server, .6 is the F5.
11 17:05:22.983153 802.1Q vlan20 P0 10.229.192.206.https > 10.229.148.6.38538: . ack 3045850159 win 5792 (DF)
...
17 17:06:05.032041 802.1Q vlan20 P0 10.229.148.6.38538 > 10.229.192.206.https: S 2979154442:2979154442(0) win 5840 (DF)
18 17:06:05.032041 802.1Q vlan20 P0 10.229.192.206.https > 10.229.148.6.38538: . ack 1 win 5792 (DF)
19 17:06:05.032041 802.1Q vlan20 P0 10.229.148.6.38538 > 10.229.192.206.https: R 3045850159:3045850159(0) win 0 (DF)
20 17:06:20.221667 802.1Q vlan20 P0 10.229.148.6.37495 > 10.229.192.206.http: S 2936484771:2936484771(0) win 5840 (DF)
21 17:06:20.221667 802.1Q vlan20 P0 10.229.192.206.http > 10.229.148.6.37495: . ack 176362648 win 5792 (DF)
22 17:06:20.221667 802.1Q vlan20 P0 10.229.148.6.37495 > 10.229.192.206.http: R 176362648:176362648(0) win 0 (DF)
The way I read this, and I could be way off, is at line 17 the LB does healthcheck to server, we see a Syn. Then line 18 is the servers ack to that syn. Line 19 is a reset from a previous ack on line 11 from the server.
Then line 20, LB syn to server, line 21 is server ack, then line 22 LB resets the server ack? Anyone have any ideas what is going on here? No funky profiles/irules/etc on this vip/pool, pretty generic setup.
- What_Lies_Bene1
Cirrostratus
What health monitors are you using? TCP Half Open? If so, this looks normal. Also, are there any source IP address restrictions configured on the server? - Luca_55898
Nimbostratus
Yeah I think the resets are part of the normal operation.... The LTM sends a reset after the ack so it doesn't keep unnecessary sessions open which consumes resources on the server... - Matt_70198
Nimbostratus
We are using the normal http and https healthchecks. I was able to open a second session on the load balancer and capture traffic on the interface a little better.
16:48:06.687386 10.229.148.7.35891 > 10.229.192.206.http: S 104961729:104961729(0) win 5840 (DF)
We figured it out though, LB sent traffic to FW, and on to server, then server was sending return traffic back an asymetric path not through FW (it's a messed up environment). Had to add a static route on server and all was good.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com