Delete VS

Hi Poseidon1974 ,

LTM is considered to be default deny. This means that when no traffic processing objects are configured (for example a virtual server and a pool), the BIG-IP system does not process any network traffic. (https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-network-firewall-policies-and-implementations/afm-firewall-default-traffic-processing.html#:~:text=LTM%20is%20considered%20to%20be,not%20process%20any%20network%20traffic)

and in normal scenarios as I know, F5 doesn't send packet with VS IP as source at all, you have three options when F5 create new connection with backend server (Pool Members):-

1- you can use Auto Map and F5 will send packet with SRC IP of (Self IP "if Standalone" or Floating IP "if HA Peer")
2- or use SNAT Pool.
3- or Client IP source if you don't enable "SNAT"

so try to traceroute to IP you get in FW logs and check it place in your network.

Hi Poseidon1974 , 

Beside Mostafa_Elsayed and JRahm they described it comprehensively. 

Just want to add >>> Check your connection table in your Bigip 
use this command : 
tmsh show /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port>  ( as described in this Article  : https://my.f5.com/manage/s/article/K53851362) 
Note : Don't run this command withoud using filters the box may crash if you have huge amount of  connection table entries. 
Use it as I have written above. 

then : 

If you see any existing connections for that virtual server , you should delete it from connection table. 
using this command : 
tmsh delete /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port>