Forum Discussion

BankIT's avatar
BankIT
Icon for Nimbostratus rankNimbostratus
Sep 27, 2019

Forwarding virtual server sends RESET against any IP addresses not associated with virtual server and self-ip addresses

In our environment we have a number of subnets that reside behind our F5's and use them as the default gateway. We have experienced a number of issues when performing network scans using various tools against these subnets due to the F5 replying with a TCP RST packet to attempts to non-existent IP addresses in the subnet which either causes false positives in identify devices or causes extremely slow performance of the scan activity.

 

I have reviewed K9812: Overview of BIG-IP TCP RST behavior and have updated the TM.RejectUnmatched to false but this does not seem to have any impact on the associated behavior.

 

More details

In a recent packet capture 3 SYN Packets are sent from the scan with a delay of 3 seconds and 5 seconds between. Oddly a RST packet is sent from the F5 (with the IP address of the target IP) for only the first and last packet with a delay of 8 seconds and 5 seconds from the original packet. This pattern is identical for each port scanned.

application delivery
BIG-IP
LTM
security

1 Reply

  • James_Thomson's avatar
    James_Thomson
    Icon for Employee rankEmployee
    Oct 02, 2019

    What behavior are you hoping to see? Do you want BIG-IP to just route all the scanning traffic?

    If so, your forwarding virtual server should be of type "Forwarding IP" and have a destination of the network subnet like 0.0.0.0/0:0 or 10.0.0.0/8:0 or 192.168.10.0/24:0