Hi Ian,
There are two related solutions on AskF5 for this message:
SOL9259: Limiting the rate at which the BIG-IP system issues TCP RSTs or ICMP unreachable packets
https://support.f5.com/kb/en-us/solutions/public/9000/200/sol9259.html
When the BIG-IP system receives a packet matching a virtual server address and port or self IP address and port, but the packet is not a SYN packet and does not match an established connection, the following error message is logged to the /var/log/ltm directory:
011e0001:4: Limiting open port RST response from to packets/sec
SOL9812: Overview of BIG-IP TCP RST behavior
https://support.f5.com/kb/en-us/solutions/public/9000/800/sol9812.html
TM.RejectUnmatched
By default, the TM.RejectUnmatched bigdb variable is set to true and the BIG-IP system sends a TCP RST packet in response to a non-SYN packet that matches a virtual server address and port or self IP address and port, but does not match an established connection. The BIG-IP system also sends a TCP RST packet in response to a packet matching a virtual server address or self IP address, but specifying an invalid port. The TCP RST packet is sent on the client-side of the connection, and the source IP address of the reset is the relevant BIG-IP LTM object address or self IP address for which the packet was destined. If TM.RejectUnmatched is set to false, the system silently drops unmatched packets.
If you're seeing this consistently, it would seem that there might be asynchronous communication where a host is sending packets to a defined VIP which don't have a corresponding connection table entry.
You can check this post for some suggestions on troubleshooting this:
Methodolgy to ID source of DOS attack
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=32&tpage=1&view=topic&postid=31931
Aaron
Nimbostratus
