For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Devlin_T_149357's avatar
Devlin_T_149357
Jun 10, 2014

Checking for port 4353 between GTMs and LTMs

Hi all

 

We need to enable iQuery between our GTMs and LTMs. I have logged onto the GTMs and ran the following command to see if I can connect on port 4353 from the GTM to LTMs, to rule out any firewall/ACL blocking the communication:

 

nc –v –s -self-IP of GTM- -self-IP of LTM- 4353

 

As our LTMs are configured in a redundant active/standby pair I have issued the above command from:

 

GTM-1 -> LTM-1 active (self-IP address)

 

GTM-1 -> LTM-1 standby (self-IP address)

 

GTM-2 -> LTM-2 active (self-IP address)

 

GTM-2 -> LTM-2 standby (self-IP address)

 

And what I found that that the connection from both GTM-1 and GTM-2 -> LTM-1 was successful as indicated by the following output:

 

"tcp/f5-iquery succeeded!"

 

However, the connection between the GTMs and the other LTMs all failed. I am quite certain that there are no firewalls or ACLs in the way. Considering that is there any reason you can think of as to why the TCP connections to the other LTMs are failing?

 

Many thanks

 

application delivery
BIG-IP DNS
deployment
LTM

3 Replies

  • SynACk_128568's avatar
    SynACk_128568
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2014

    Hi Delvin,

     

    i guess port 22 and 4353 is listening on the F5 device . And on the selfip of LTM portlockdown is allow default or allowed for 4353 ,22 ports .

     

    Big3d version is same on the gtm and ltm . Also crosscheck if any ACL blocking port 4353 ,22 .

     

    LTM are defined in the server list of the GTM and there self ip are added .

     

    Also check for the device certificates if they are working fine .

     

    What error you are getting in /var/log/gtm . You can take packet capture on the LTM to check if any packets are making to LTM What is state is the connection between LTM and GTM . netstat -an output .

     

    Also you can compare the working and non working case and see if any configuration change .

     

  • Devlin_T_149357's avatar
    Devlin_T_149357
    Jun 10, 2014

    Hi SynACk.

     

    As of yet nothing has been defined on the GTMs. In addition I have had it verified that there are no firewalls or ACLs blocking.

     

    I checked further on the LTMs and what I have found is that the self-IP on LTM-1 standby and both LTM-2's are set to port lockdown "Allow None". Only LTM-1 active has the port lockdown set to "Allow All". I believe then that if I change the port lockdown on the LTMs to "Allow Default" then I should be able to establish the iQuery connection fine?

     

    Thanks again.

     

  • SynACk_128568's avatar
    SynACk_128568
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2014

    Yes put LTM to port lockdown to allow default then iquery will establish let me know if it works