Currently I see that my F5 is reaching out to the servers in my server pools on low ephemeral ports for health monitoring. For example, I have a health monitor for DNS so that the F5 reaches out to the DNS servers to ensure that DNS is working properly. The source port coming from the F5 has a huge range from sometimes 7000 up to 65535. We are trying to standardize the ephemeral ports used in our datacenter to use the standard Microsoft ephemeral ports, 49152 - 65535 for ACI filtering. Can I manually change which ports the F5 uses to send requests on? I know we are currently doing this with Linux servers, so I'd like to do it with the F5s as well.

Same as you would on a linux host: echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range

I ran that command on each F5 but am still seeing it try to communicate on 43900 and lower. Do I need to perform a system reboot for the changes to take effect, or something of that nature?

That will apply after a reboot. Try, sysctl -w net.ipv4.ip_local_port_range = 49152 65535

Can I change the default ephemeral ports that the F5 uses for health monitoring?

ekaleido
Cirrus
May 11, 2016
Same as you would on a linux host:

echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range
- Sarah_258804
  Cirrus
  May 11, 2016
  Hm, so I have found that after a reboot the port range went back to using 32768 - 61000. Furthermore, I'm seeing that the F5 monitors are reaching out on ports even lower than that (5612). [ Wed May 11 16:44:37 2016 830113 usecs]: Src IP: 10.251.12.3, Dst IP: 10.251.113.11, Src Port: 5929, Dst Port: 80, Src Intf: port-channel11 , Protocol: 6 The source IP from the F5 is it's own self-IP on a port-channel interface. I'm not sure if that matters, but could there be another location where it's pulling its own source port range?
- ekaleido
  Cirrus
  May 11, 2016
  It should. And since you did the echo above, anytime it does reboot it will come back with the ephermeral range configured.
- Sarah_258804
  Cirrus
  May 11, 2016
  That command took. And this will ensure that the F5 will start using only these ephemeral ports without the need of a reboot, correct?
ekaleido_26616
Cirrocumulus
May 11, 2016
Same as you would on a linux host:

echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range
- Sarah_258804
  Cirrus
  May 11, 2016
  Hm, so I have found that after a reboot the port range went back to using 32768 - 61000. Furthermore, I'm seeing that the F5 monitors are reaching out on ports even lower than that (5612). [ Wed May 11 16:44:37 2016 830113 usecs]: Src IP: 10.251.12.3, Dst IP: 10.251.113.11, Src Port: 5929, Dst Port: 80, Src Intf: port-channel11 , Protocol: 6 The source IP from the F5 is it's own self-IP on a port-channel interface. I'm not sure if that matters, but could there be another location where it's pulling its own source port range?
- ekaleido_26616
  Cirrocumulus
  May 11, 2016
  It should. And since you did the echo above, anytime it does reboot it will come back with the ephermeral range configured.
- Sarah_258804
  Cirrus
  May 11, 2016
  That command took. And this will ensure that the F5 will start using only these ephemeral ports without the need of a reboot, correct?

Forum Discussion

Can I change the default ephemeral ports that the F5 uses for health monitoring?

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Parameteters in default https monitor

WILS: Load Balancing and Ephemeral Port Exhaustion

FQDN nodes in non-default route domains

iRule based RADIUS Health Monitor Builder

HTTP Monitor

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS