1 | initial version |
If the IP TTL of the TCP/RST packet is 254, it is most likely not sent from the SVI of the 3850 switch, as it would have had an IP TTL of 64, 128 or 255. Assuming the packet was sent with a default IP TTL of either 64, 128 or 255, receiving it with an IP TTL of 254 means it was most likely sent by a device one hop upstream from the 3850.
My bet would be that it was a Loadbalancer or a Firewall that had a session timeout and therefor closed the connection to both sides with a TCP/RST.