Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

BIGIP resets connecion

Go to solution
T5C
Altocumulus
Altocumulus

‎10-Oct-2022 08:38 - edited ‎10-Oct-2022 08:54

Hello Team

How to check what's the reason for resetting connection from F5  in this situation:  F5  receives from server 'application/octet-stream' http first packet, acknoledges it and then sends rst to client and server. When rst logging is enabled (sys db tm.rstcause.log value enable) in logs there's no information regarding what causes reset that connection. There's no ASM module provisioned also. Why F5 would send reset to client and then to server ? Is there another command / log switch which can show this reason ?

Regards, TC

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Mohamed_Salah_
MVP
MVP
In response to T5C

‎11-Oct-2022 07:29

Hello,

what great news, that it is working now. I think you can extract the headers and value pairs and check them by yourself and compare header names and values with RFC.

For example, the following HTTP request from the client causes the connection to be reset:

POST /web/page HTTP/1.1
Accept: */*
aaabbbccc
Cache-Control: no-cache
Content-Length: 438

Note: The aaabbbccc header is malformed because it does not conform to the name: value syntax. 

Using another example, the following HTTP request from the client also causes the connection to be reset:

POST /web/page HTTP/1.1
Accept: */*
aaabbbccc :
Cache-Control: no-cache
Content-Length: 438

Note: If there is a white space between the field name (aaabbbccc) and colon (:), then the request fails and the system considers it to be malformed. Full details about HTTP header restrictions are described in IETF RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing.This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

Reference: https://support.f5.com/csp/article/K38905534

 

Unfortunately, it is not mentioned in any of F5 articles how to check for the malformed header and know the header specifically, so you can check it by yourself by getting all of the header names and values.

BR,

Mohamed Salah

View solution in original post

7 REPLIES 7

Go to solution
Mohamed_Salah_
MVP
MVP

‎10-Oct-2022 11:02

Hello,

For the RST logging, you mentioned that it is enabled, so please check the below article for checking the statistics and an example of the log messages.

https://support.f5.com/csp/article/K13223

 

if you didn't find any log entries regarding the issue, you can start generating a tcpdump (Packet capture) using a command like the below on bash:

#tcpdump -nnnveti 0.0:nnnp host "filter by an IP" and port "add port" -s0 -S -w /var/log/pcapname.pcap

Example:

tcpdump -nnnveti 0.0:nnnp host 172.20.10.1 and port 443 -s0 -S -w /var/log/pcapname.pcap

and then the cause might be mentioned in the generated file as per the below exmaple:

tcpdump.PNG

If the traffic is encrypted, and you are making SSL ofloading on F5, you can check the below link to decrypt the traffic in the capture.

https://support.f5.com/csp/article/K12783074

BR,

Mohamed Salah

 

0 Kudos

Go to solution
Mohamed_Salah_
MVP
MVP
In response to Mohamed_Salah_

‎10-Oct-2022 11:03

You may need to check the below article also for getting the root cause in the packet capture.

https://support.f5.com/csp/article/K89012646

 

0 Kudos

Go to solution
T5C
Altocumulus
Altocumulus
In response to Mohamed_Salah_

‎10-Oct-2022 11:26 - edited ‎10-Oct-2022 11:26

I've checked it is reseted because  "Malformed HTTP header error". I suspect specific header but would like to be sure that it is because of that header -  how to check which http header caused an error/is it possible to display such information ?

0 Kudos

Go to solution
Mohamed_Salah_
MVP
MVP
In response to T5C

‎10-Oct-2022 11:32

Hello,

as per the below article "Beginning BIG-IP 12.0.0 HTTP profile enforces strict header checks. HTTP request or response that does not conform to RFC 7230, will be considered a malformed HTTP header and the BIG-IP system will reset the connection."

https://support.f5.com/csp/article/K66202369

the work around mentioned is to user trasparent http profile, which is:

"The Transparent Proxy Mode enables the BIG-IP system to forward invalid HTTP traffic to a specified server, instead of dropping the connection. By configuring an HTTP profile to forward invalid HTTP traffic, you can manage various atypical service provider scenarios, such as HTTP traffic from non-browser clients that function as web browsers."

Also, take a look at these links:

https://support.f5.com/csp/article/K54310202

https://support.f5.com/csp/article/K52671508

 

0 Kudos

Go to solution
T5C
Altocumulus
Altocumulus

‎11-Oct-2022 03:28 - edited ‎11-Oct-2022 03:29

Hello,

When http profile is changed to http transparent - everything works OK. (it looks that header which was suspicious has the same value on another environment on different device - and on that device everything is working fine).

How to check what header is malformed ? Is there any way to debug it ?

0 Kudos

Go to solution
Mohamed_Salah_
MVP
MVP
In response to T5C

‎11-Oct-2022 07:29

Hello,

what great news, that it is working now. I think you can extract the headers and value pairs and check them by yourself and compare header names and values with RFC.

For example, the following HTTP request from the client causes the connection to be reset:

POST /web/page HTTP/1.1
Accept: */*
aaabbbccc
Cache-Control: no-cache
Content-Length: 438

Note: The aaabbbccc header is malformed because it does not conform to the name: value syntax. 

Using another example, the following HTTP request from the client also causes the connection to be reset:

POST /web/page HTTP/1.1
Accept: */*
aaabbbccc :
Cache-Control: no-cache
Content-Length: 438

Note: If there is a white space between the field name (aaabbbccc) and colon (:), then the request fails and the system considers it to be malformed. Full details about HTTP header restrictions are described in IETF RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing.This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

Reference: https://support.f5.com/csp/article/K38905534

 

Unfortunately, it is not mentioned in any of F5 articles how to check for the malformed header and know the header specifically, so you can check it by yourself by getting all of the header names and values.

BR,

Mohamed Salah

Go to solution
T5C
Altocumulus
Altocumulus
In response to Mohamed_Salah_

‎31-Oct-2022 06:56

Hello

One of http headers was set by appication server with inappropriate value without ending \r\n, only \r.

After impementing changes by application team now it works great.

BR,

TC.

Copyright © 2023 Khoros, LLC