TCP connections on F5 LTM VE

May be you want to look directly at the web server config. It may be resetting connections. You can catch this behavior by sniffin' directly on the linux server terminal with something like:

tcpdump --nni eth0

**If you see the reset (R) from the web server IP,then the virtual server will answer the same.

Please have a look to his article:

http://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html?sr=37562714

regards. hheredia

Hi,

Below are the capture of the tcpdump it seems that the internal vlan ip 10.10.10.1 is the one sending the (R)reset flag

23:34:59.063021 IP 10.10.10.1.35840 > 10.10.10.2.http: S 1589453853:1589453853(0) win 5840 23:34:59.065541 IP 10.10.10.2.http > 10.10.10.1.35840: S 3686360985:3686360985(0) ack 1589453854 win 5792 . some output omitted . 23:34:59.098055 IP 10.10.10.1.35840 > 10.10.10.2.http: F 8:8(0) ack 2897 win 91 23:34:59.099024 IP 10.10.10.2.http > 10.10.10.1.35840: P 2897:4097(1200) ack 8 win 5792 23:34:59.099613 IP 10.10.10.1.35840 > 10.10.10.2.http: R 1589453861:1589453861(0) win 0

Is there a chance the clients are using HTTP/1.0 rather than HTTP/1.1? IE has a bad habit of doing this. If that's the case, every request results in a new connection being established and then torn down. Definitely take a look at the client browser settings. Perhaps use IEHTTPHeaders or something similar to confirm.

For Firefox, use LiveHTTPHeaders. It's pretty simple to use and you'd be looking for HTTP/1.0 or HTTP/1.1 in the request line of all requests from the client.

Alternatively you can look at the the statistics in the GUI: Menu Path: Statistics > Module Statistics > Local Traffic > Statistics Type: Profiles Summary - then click HTTP and look for the number of HTTP/1.0 and HTTP/1.1 requests.