Forum Discussion
JTucker_137331
Nimbostratus
NimbostratusSource of the Limiting open port RST response
Hi,
I am looking to see how I can find out what might be sending these messages by constructing a TCPdump to try and capture this. The F5 has a number of different VLAN interfaces, so I think that I will need to have a capture per interface? To filter out a bit more noise I was going to set one of the variables to be the source address of the F5 but would it be the VS IP or an interface IP address that the RST would be being sent from?
Hope somebody can help.
James
James,
This may be of value to you rather than messing around with tcpdump:
http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html
What_Lies_Bene1Cirrostratus
Hey James,
Sorry but you are not very clear about what you are trying to capture so I'm not sure what to advise regarding a filter expression?
You can run tcpdump on all interfaces at once as follows:
tcpdump -i 0.0
Cory_50405Noctilucent
Hi James,
You can capture on all interfaces on the BIG-IP by specifying 0.0 as the interface:
tcpdump -nni 0.0
To additionally filter by an IP address (whether it be a virtual server address or a self IP address), you can do this:
tcpdump -nni 0.0 host 10.10.10.10
Or if you want to capture based on a subnet, you can do:
tcpdump -nni 0.0 net 10.10.10
How do you know you are seeing an excessive amount of RST packets? The answer may help tailor your tcpdump to limit the noise.
JTucker_137331I am getting the messages in the LTM log: Limiting open port RST response from 351 to 350 packets/sec sometimes maybe just one or two a day, other times 10 - 20 instances 4 or 5 times a day.
- JTucker_137331
Sorry, I am trying to capture the address that the F5 will be responding with an RST to, the dump would probably look soemthing like:
tcpdump -i 0.0 'tcp[13] & 4 != 0' and (src.addr f5_int1) or (src.addr f5_int2) - Cory_50405
James,
This may be of value to you rather than messing around with tcpdump:
http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html
- JTucker_137331Hi, That might be just what I am after, will give it a try in the morning when it is quiet I think! If it does the job will mark this as the correct answer, thanks.
- JTucker_137331That is exactly what I am after but because of of the volume of traffic we have the log rate is exceeded and is then throttled so I don't get all the data. So, next step, HSL for the ltm log...? :)
- Cory_50405You must have a whole lot of traffic going through your LTMs. Or lots of bad things going on. You could explore HSL or just work your way through the issues that you are able to see in /var/log/ltm. Once you fix the cause of one of the RST behaviors (assuming you can), it should quiet down the log enough to show other log messages.