TCP RST sent after closing connection
Hi, I use this http monitor GET /healthcheck.html HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n but sometimes the Big-IP send a RST packet to the server after closing connection. packet captures Big-IP side: "2","2.310609","30.106.21.249","30.106.28.1","TCP","158","OUT s1/tmm0 : 50531 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1019319882 TSecr=0 WS=128" "3","2.310917","30.106.28.1","30.106.21.249","TCP","162","IN s1/tmm0 : http > 50531 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=8 SACK_PERM=1 TSval=535406092 TSecr=1019319882" "4","2.311510","30.106.21.249","30.106.28.1","TCP","150","OUT s1/tmm0 : 50531 > http [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=1019319883 TSecr=535406092" "5","2.311525","30.106.21.249","30.106.28.1","HTTP","230","OUT s1/tmm0 : GET /healthcheck.html HTTP/1.1 " "6","2.311814","30.106.28.1","30.106.21.249","TCP","150","IN s1/tmm0 : http > 50531 [ACK] Seq=1 Ack=81 Win=263456 Len=0 TSval=535406092 TSecr=1019319883" "7","2.312667","30.106.28.1","30.106.21.249","HTTP","478","IN s1/tmm0 : HTTP/1.1 200 OK (text/html)" "8","2.312960","30.106.28.1","30.106.21.249","TCP","150","IN s1/tmm0 : http > 50531 [FIN, PSH, ACK] Seq=329 Ack=81 Win=263456 Len=0 TSval=535406092 TSecr=1019319883" "9","2.313261","30.106.21.249","30.106.28.1","TCP","150","OUT s1/tmm0 : 50531 > http [ACK] Seq=81 Ack=329 Win=15744 Len=0 TSval=1019319885 TSecr=535406092" "10","2.313264","30.106.21.249","30.106.28.1","TCP","150","OUT s1/tmm0 : 50531 > http [FIN, ACK] Seq=81 Ack=330 Win=15744 Len=0 TSval=1019319885 TSecr=535406092" "11","2.313557","30.106.28.1","30.106.21.249","TCP","150","IN s1/tmm0 : http > 50531 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535406092 TSecr=1019319885" "12","2.313558","30.106.28.1","30.106.21.249","TCP","150","IN s1/tmm0 : [TCP Dup ACK 111] http > 50531 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535406092 TSecr=1019319885" "13","2.313590","30.106.21.249","30.106.28.1","TCP","206","OUT s1/tmm0 : 50531 > http [RST, ACK] Seq=82 Ack=330 Win=0 Len=42 [F5RST: TCP 3WHS rejected]" I found this log on /var/log/ltm: RST sent from 30.106.21.249:39465 to 30.106.28.1:80, [0x1ecb7a7:1724] TCP 3WHS rejected In this packet capture, we can see that big-ip sent RST packet after receiving a duplicate ACK.. Is this behavior normal? packet captures server side: "No.","Time","Source","Destination","Protocol","Length","Info" "31","15.022157","30.106.21.249","30.106.28.1","TCP","78","50293 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1019159907 TSecr=0 WS=128" "32","15.022181","30.106.28.1","30.106.21.249","TCP","82","http > 50293 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=8 SACK_PERM=1 TSval=535246142 TSecr=1019159907" "33","15.023085","30.106.21.249","30.106.28.1","TCP","70","50293 > http [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSval=1019159907 TSecr=535246142" "34","15.023093","30.106.21.249","30.106.28.1","HTTP","150","GET /healthcheck.html HTTP/1.1 " "35","15.023098","30.106.28.1","30.106.21.249","TCP","70","http > 50293 [ACK] Seq=1 Ack=81 Win=263456 Len=0 TSval=535246142 TSecr=1019159907" "36","15.024074","30.106.28.1","30.106.21.249","HTTP","398","HTTP/1.1 200 OK (text/html)" "37","15.024091","30.106.28.1","30.106.21.249","TCP","70","http > 50293 [FIN, PSH, ACK] Seq=329 Ack=81 Win=263456 Len=0 TSval=535246142 TSecr=1019159907" "38","15.025204","30.106.21.249","30.106.28.1","TCP","70","50293 > http [FIN, ACK] Seq=81 Ack=330 Win=15744 Len=0 TSval=1019159909 TSecr=535246142" "39","15.025214","30.106.28.1","30.106.21.249","TCP","70","http > 50293 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535246142 TSecr=1019159909" "40","15.025216","30.106.21.249","30.106.28.1","TCP","70","[TCP Keep-Alive] 50293 > http [ACK] Seq=81 Ack=329 Win=15744 Len=0 TSval=1019159909 TSecr=535246142" "41","15.025220","30.106.28.1","30.106.21.249","TCP","70","[TCP Keep-Alive ACK] http > 50293 [ACK] Seq=330 Ack=82 Win=263448 Len=0 TSval=535246142 TSecr=1019159909" "42","15.025719","30.106.21.249","30.106.28.1","TCP","100","50293 > http [RST, ACK] Seq=82 Ack=330 Win=0 Len=42" Thank you for your help.
Monitor regex
How do I interpret multiple lines returned as a regex? I need a passing health check for all of the return conditions below... About to connect() to x.x.x.x port 5000 (0) Trying x.x.x.x... connected Connected to x.x.x.x (x.x.x.x) port 5000 (0) GET /healthcheck HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8Ä zlib/1.2.3 libidn/0.6.5 Host: x.x.x.x:5000 Accept: <5e8b83e0-cc61-4440-b2dd-20fb6ab3a303>/ HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Content-Type: text/html; charset=utf-8 < Content-Length: 85 < Server: Werkzeug/0.11.5 Python/2.7.5 < Date: Wed, 23 Mar 2016 17:51:51 GMT < APP: OK TOMCAT: OK MAINTENANCE: False HOSTNAME: healthcheck-dev Closing connection 0 Can I use the & operator? And what would i use to designate a new line? Appreciate any help.
Prevent HTTP monitor from sending TCP RST when receive string arrives
I learned something today! I never knew that HTTP monitors may send a TCP RST as soon as they see the receive string they're watching for. See: https://support.f5.com/kb/en-us/solutions/public/9000/800/sol9812.html Unfortunately, a couple of our real servers do copious logging when that happens, and the application team would like to prevent that behavior. Is there any way to cause the HTTP monitor to always read to completion the response? I don't want to keep-alive/pipeline (even if that's possible with a monitor - sounds counterintuitive) because I want each call's success/failure to be a reflection of what a new client connection would encounter. thx!
