Forum Discussion

Poseidon1974's avatar
Poseidon1974
Icon for Cirrostratus rankCirrostratus
Aug 01, 2023

Delete VS

Hi,

 

I am newbie on F5 LTM, my problem, I just deleted a VS from the WEB interface, however, I notice in the FW logs, traffic coming from IP of this VS to other IP destinations, do you have any idea about this problem? Why do I still have traffic? maybe an ip gleaning problem ? 

Thanks , 

 

 

  • Hi Poseidon1974 ,

    LTM is considered to be default deny. This means that when no traffic processing objects are configured (for example a virtual server and a pool), the BIG-IP system does not process any network traffic. (https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-network-firewall-policies-and-implementations/afm-firewall-default-traffic-processing.html#:~:text=LTM%20is%20considered%20to%20be,not%20process%20any%20network%20traffic)

    and in normal scenarios as I know, F5 doesn't send packet with VS IP as source at all, you have three options when F5 create new connection with backend server (Pool Members):-

    1- you can use Auto Map and F5 will send packet with SRC IP of (Self IP "if Standalone" or Floating IP "if HA Peer")
    2- or use SNAT Pool.
    3- or Client IP source if you don't enable "SNAT"

    so try to traceroute to IP you get in FW logs and check it place in your network.

     

  • A virtual server is an IP address + Port, deleting a single virtual server doesn't necessarily mean that other virtual servers aren't still active for that IP address. Or, as Mostafa_Elsayed pointed out, it could also be in use for snat traffic. Might search the configuration to see where else that IP address might be in use.

    Alternatively, there were active connections on that virtual server, and it's possible the traffic is still active on a long lived connection even after it's removed from the configuration until the connections are terminated. I'm not 100% on that behavior for a deleted virtual server, but just something to investigate.

  • Hi Poseidon1974 , 

    Beside Mostafa_Elsayed and JRahm they described it comprehensively. 

    Just want to add >>> Check your connection table in your Bigip 
    use this command : 
    tmsh show /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port>  ( as described in this Article  : https://my.f5.com/manage/s/article/K53851362
    Note : Don't run this command withoud using filters the box may crash if you have huge amount of  connection table entries. 
    Use it as I have written above. 

    then : 

    If you see any existing connections for that virtual server , you should delete it from connection table. 
    using this command : 
    tmsh delete /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port> 

  • Poseidon1974 - If your post was solved it would be helpful to the community to select *Accept As Solution*.
    This helps future readers find answers more quickly and confirms the efforts of those who helped.
    Thanks for being part of our community.
    Lief

    UPDATE: marked two answers as Solutions; the conversation looks to have wrapped up.
    - feel free to unselect if I am incorrect.