The following pattern is showing up in the ulogd logs, we see this on the puppetmaster front ends but alos on other services that proxy connections
Nov 21 11:26:36 puppetmaster1001 ulogd[23236]: [fw-in-drop] IN=eno1 OUT= MAC=18:66:da:63:3d:08:d0:94:66:5e:c8:02:86:dd SRC=2620:0:861:102:10:64:16:36 DST=2620:0:861:102:10:64:16:73 LEN=60 TC=0 HOPLIMIT=64 FLOWLBL=43734 PROTO=TCP SPT=8141 DPT=58242 SEQ=902339402 ACK=0 WINDOW=0 RST URGP=0 MARK=0
I was able to capture an example TCP stream eliciting this behaviour
1 5.867945 2620:0:861:102:10:64:16:73 → 2620:0:861:107:10:64:48:45 TCP 88 56264 → 8141 [FIN, ACK] Seq=1 Ack=1 Win=358 Len=0 TSval=1115703533 TSecr=3512519644 2 5.867982 2620:0:861:107:10:64:48:45 → 2620:0:861:102:10:64:16:73 TCP 76 8141 → 56264 [RST] Seq=1 Win=0 Len=0
This signature appears to be the result of a tcp half-duplex termination as per rfc1122 section 4.2.2.13 specificly:
A host MAY implement a "half-duplex" TCP close sequence, so
that an application that has called CLOSE cannot continue to
read data from the connection. If such a host issues a
CLOSE call while received data is still pending in TCP, or
if new data is received after CLOSE is called, its TCP
SHOULD send a RST to show that data was lost.
This sounds to me that the front end (puppetmaster1001) is closing a connection to the backend (puppetmaster1002) premultiply i.e. the backed still expected to send more data. As such the backed sends RST to indicate its not happy
I believe this is only happening over IPv6