Forum Discussion

T5C's avatar
T5C
Icon for Altocumulus rankAltocumulus
Oct 10, 2022

BIGIP resets connecion

Hello Team

How to check what's the reason for resetting connection from F5  in this situation:  F5  receives from server 'application/octet-stream' http first packet, acknoledges it and then sends rst to client and server. When rst logging is enabled (sys db tm.rstcause.log value enable) in logs there's no information regarding what causes reset that connection. There's no ASM module provisioned also. Why F5 would send reset to client and then to server ? Is there another command / log switch which can show this reason ?

Regards, TC

 

  • Hello,

    what great news, that it is working now. I think you can extract the headers and value pairs and check them by yourself and compare header names and values with RFC.

    For example, the following HTTP request from the client causes the connection to be reset:

    POST /web/page HTTP/1.1
    Accept: */*
    aaabbbccc
    Cache-Control: no-cache
    Content-Length: 438

    Note: The aaabbbccc header is malformed because it does not conform to the name: value syntax. 

    Using another example, the following HTTP request from the client also causes the connection to be reset:

    POST /web/page HTTP/1.1
    Accept: */*
    aaabbbccc :
    Cache-Control: no-cache
    Content-Length: 438

    Note: If there is a white space between the field name (aaabbbccc) and colon (:), then the request fails and the system considers it to be malformed. Full details about HTTP header restrictions are described in IETF RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing.This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

    Reference: https://support.f5.com/csp/article/K38905534

     

    Unfortunately, it is not mentioned in any of F5 articles how to check for the malformed header and know the header specifically, so you can check it by yourself by getting all of the header names and values.

    BR,

    Mohamed Salah

7 Replies

  • Hello,

    For the RST logging, you mentioned that it is enabled, so please check the below article for checking the statistics and an example of the log messages.

    https://support.f5.com/csp/article/K13223

     

    if you didn't find any log entries regarding the issue, you can start generating a tcpdump (Packet capture) using a command like the below on bash:

    #tcpdump -nnnveti 0.0:nnnp host "filter by an IP" and port "add port" -s0 -S -w /var/log/pcapname.pcap

    Example:

    tcpdump -nnnveti 0.0:nnnp host 172.20.10.1 and port 443 -s0 -S -w /var/log/pcapname.pcap

    and then the cause might be mentioned in the generated file as per the below exmaple:

    If the traffic is encrypted, and you are making SSL ofloading on F5, you can check the below link to decrypt the traffic in the capture.

    https://support.f5.com/csp/article/K12783074

    BR,

    Mohamed Salah

     

      • T5C's avatar
        T5C
        Icon for Altocumulus rankAltocumulus

        I've checked it is reseted because  "Malformed HTTP header error". I suspect specific header but would like to be sure that it is because of that header -  how to check which http header caused an error/is it possible to display such information ?

  • T5C's avatar
    T5C
    Icon for Altocumulus rankAltocumulus

    Hello,

    When http profile is changed to http transparent - everything works OK. (it looks that header which was suspicious has the same value on another environment on different device - and on that device everything is working fine).

    How to check what header is malformed ? Is there any way to debug it ?

    • Hello,

      what great news, that it is working now. I think you can extract the headers and value pairs and check them by yourself and compare header names and values with RFC.

      For example, the following HTTP request from the client causes the connection to be reset:

      POST /web/page HTTP/1.1
      Accept: */*
      aaabbbccc
      Cache-Control: no-cache
      Content-Length: 438

      Note: The aaabbbccc header is malformed because it does not conform to the name: value syntax. 

      Using another example, the following HTTP request from the client also causes the connection to be reset:

      POST /web/page HTTP/1.1
      Accept: */*
      aaabbbccc :
      Cache-Control: no-cache
      Content-Length: 438

      Note: If there is a white space between the field name (aaabbbccc) and colon (:), then the request fails and the system considers it to be malformed. Full details about HTTP header restrictions are described in IETF RFC 7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing.This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.

      Reference: https://support.f5.com/csp/article/K38905534

       

      Unfortunately, it is not mentioned in any of F5 articles how to check for the malformed header and know the header specifically, so you can check it by yourself by getting all of the header names and values.

      BR,

      Mohamed Salah

      • T5C's avatar
        T5C
        Icon for Altocumulus rankAltocumulus

        Hello

        One of http headers was set by appication server with inappropriate value without ending \r\n, only \r.

        After impementing changes by application team now it works great.

        BR,

        TC.