For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

BankIT's avatar
BankIT
Icon for Nimbostratus rankNimbostratus
Sep 27, 2019

Forwarding virtual server sends RESET against any IP addresses not associated with virtual server and self-ip addresses

In our environment we have a number of subnets that reside behind our F5's and use them as the default gateway. We have experienced a number of issues when performing network scans using various tools against these subnets due to the F5 replying with a TCP RST packet to attempts to non-existent IP addresses in the subnet which either causes false positives in identify devices or causes extremely slow performance of the scan activity.

 

I have reviewed K9812: Overview of BIG-IP TCP RST behavior and have updated the TM.RejectUnmatched to false but this does not seem to have any impact on the associated behavior.

 

More details

In a recent packet capture 3 SYN Packets are sent from the scan with a delay of 3 seconds and 5 seconds between. Oddly a RST packet is sent from the F5 (with the IP address of the target IP) for only the first and last packet with a delay of 8 seconds and 5 seconds from the original packet. This pattern is identical for each port scanned.

application delivery
BIG-IP
LTM
security

1 Reply

  • James_Thomson's avatar
    James_Thomson
    Icon for Employee rankEmployee
    Oct 02, 2019

    What behavior are you hoping to see? Do you want BIG-IP to just route all the scanning traffic?

    If so, your forwarding virtual server should be of type "Forwarding IP" and have a destination of the network subnet like 0.0.0.0/0:0 or 10.0.0.0/8:0 or 192.168.10.0/24:0