CirrostratusDelete VS
Hi,
I am newbie on F5 LTM, my problem, I just deleted a VS from the WEB interface, however, I notice in the FW logs, traffic coming from IP of this VS to other IP destinations, do you have any idea about this problem? Why do I still have traffic? maybe an ip gleaning problem ?
Thanks ,
Hi Poseidon1974 ,
LTM is considered to be default deny. This means that when no traffic processing objects are configured (for example a virtual server and a pool), the BIG-IP system does not process any network traffic. (https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-network-firewall-policies-and-implementations/afm-firewall-default-traffic-processing.html#:~:text=LTM%20is%20considered%20to%20be,not%20process%20any%20network%20traffic)
and in normal scenarios as I know, F5 doesn't send packet with VS IP as source at all, you have three options when F5 create new connection with backend server (Pool Members):-
1- you can use Auto Map and F5 will send packet with SRC IP of (Self IP "if Standalone" or Floating IP "if HA Peer")
2- or use SNAT Pool.
3- or Client IP source if you don't enable "SNAT"so try to traceroute to IP you get in FW logs and check it place in your network.
Hi Poseidon1974 ,
Beside Mostafa_Elsayed and JRahm they described it comprehensively.
Just want to add >>> Check your connection table in your Bigip
use this command :
tmsh show /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port> ( as described in this Article : https://my.f5.com/manage/s/article/K53851362)
Note : Don't run this command withoud using filters the box may crash if you have huge amount of connection table entries.
Use it as I have written above.
then :
If you see any existing connections for that virtual server , you should delete it from connection table.
using this command :
tmsh delete /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port>
