Forum Discussion
NimbostratusHealth check failing - tcp/54321 - is this more than a coincidence?
For the record, this affects all versions of:
*v11.5.0*
*v11.5.1*
and most likely *v11.6.0* when it is released.
-
Run the following commands to update your current iptables rules:
/sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable/sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset/sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
-
Run the following commands to add the iptables rules to /config/startup. This will ensure that these iptables rules persist upon reboot and upgrades:
echo "/sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable" >> /config/startupecho "/sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset" >> /config/startupecho "/sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset" >> /config/startup
The synopsis of this bug is that there is an iptables rule that was implemented to secure a Websense vulnerability.
In the process, the iptables rule was created in a rule that would block ALL Traffic to ALL Interfaces of a BIG-IP device.
This means that all traffic sourced from the BIG-IP with an ephemeral port of :54321 will be RST when the peer device sends it's SYN,ACK (as you see above in DSS Gateway's post)
I highly recommend that anybody running v11.5+ perform the above steps to ensure your system is not incorrectly blocking traffic that has been sourced by the BIG-IP with an ephemeral port of 54321.
