I have a production BIG-IP running v220.127.116.11 that is showing unexpected behaviour on a certain LTM error code.
I was trying to troubleshoot some connectivity errors and it turned out that the client was sending an oversize HTTP Request header which was greater than the byte limit set in the HTTP "Max header size" value.
Normally we would expect to see error code 011f0005 "HTTP header (xxx) exceeded maximum allowed size of 32768" but in this case nothing was observed.
A different request with more than the maximum *number* of headers did trigger the separate event "011f0011:3: HTTP header count exceeded maximum allowed count", so the LTM logging is working fine for other codes, just not the header size one.
I've compared the same requests on a different F5 pair running the same software version that front a test version of the website affected, and the log entry is being output to syslog as expected, so it seems specific to this production device pair.
Is there any way to check lower level logging settings or compare sys db flags between these two pairs so I can try and work out why the error didn't log as expected?
Thought it was worth an ask on here prior to raising a suport ticket.
You can list db keys with
tmsh list sys db all-properties
Then use diff or similar to compare the output between devices.
There may just be an edge case where the violation is triggered but no message is emitted - maybe due to incoming packet segmentation. The HTTP profile can be like that sometimes.
If you are concerned, raise a support ticket - there may be stats available in the QKView that give some visibility to the problem. A nice clean packet capture might be a good idea as well.