BigIP LTM is reponded ping requests for address that do not exist in our network

If it's responding to pings from addresses not on your network, then it sounds like your network guys may need to look at their ACLs... it sounds like there may be more to this issue than what is presented here.

Which addresses on your LTM are responding to pings? It is one of your virtual servers or the management interface? Regardless, you can firewall off any ICMP requests that hit the LTM.

Actually, this is a known issue with BigIP:

sol15469: Loading the BIG-IP configuration from the command line may incorrectly enable ICMP Echo for virtual addresses

There are two solutions: 1.Disable ICMP Echo for a virtual address using the following command syntax: tmsh modify ltm virtual-address icmp-echo

1. upgrade the S/W to from 11.5.1 to 11.6.0.

1. upgrade the S/W to from 11.5.1 to 11.6.0.

the f5 can respond to pings for addresses it owns (Self-IP, SNAT, virtual IP addresses). I believe that it can respond to ICMP requests for networks that are defined in its virtual address list as well. If you have any network virtual servers (IP forwarding, fast-l4, etc.), verify that those network virtual addresses have ICMP disabled. Navigate to Local Traffic | Virtual Servers | Virtual Address List, click on the network address, and verify "ICMP Echo" is disabled. keep in mind, depending on the forwarding-vs configuration, this could prevent ICMP messages from being passed through to backend networks

Thanks Shaggy; I will take that into consideration if I disable the ICMP echo. Brian

what about hosts that do not exist ? We ran a vulnerability scan on subnets that sit on the F5, we received a reply from ips that are not on the subnet yet.

what about hosts that do not exist ? We ran a vulnerability scan on subnets that sit on the F5, we received a reply from ips that are not on the subnet yet.

do you have network virtual server address with enabling arp and icmp-echo?

root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual-address 192.168.0.0 all-properties
ltm virtual-address 192.168.0.0 {
    address 192.168.0.0
    app-service none
    arp enabled
    auto-delete true
    connection-limit 0
    description none
    enabled yes
    floating enabled
    icmp-echo enabled
    inherited-traffic-group false
    mask 255.255.255.0
    metadata none
    partition Common
    route-advertisement disabled
    server-scope any
    traffic-group traffic-group-1
    unit 1
}

what about hosts that do not exist ? We ran a vulnerability scan on subnets that sit on the F5, we received a reply from ips that are not on the subnet yet.

do you have network virtual server address with enabling arp and icmp-echo?

root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual-address 192.168.0.0 all-properties
ltm virtual-address 192.168.0.0 {
    address 192.168.0.0
    app-service none
    arp enabled
    auto-delete true
    connection-limit 0
    description none
    enabled yes
    floating enabled
    icmp-echo enabled
    inherited-traffic-group false
    mask 255.255.255.0
    metadata none
    partition Common
    route-advertisement disabled
    server-scope any
    traffic-group traffic-group-1
    unit 1
}

it is actually a directly connected network and not a VIP subnet.

is there wildcard virtual server address (0.0.0.0/0)? are arp and icmp-echo enabled there?

it looks like the MAC is for the vlan on the F5 and not the physical interface on the F5

sol14513: MAC address assignment for interfaces, trunks, and VLANs (11.x)