Forum Discussion
robert_blair_75
Nimbostratus
NimbostratusMonitoring Traffic?
I am running Big-ip 9.4.8
Setup:
ExternalA network:
- 10.10.10.0/24
ExternalB network:
- 20.20.20.0/24
Internal network:
- 30.30.30.0/24
Default_gateway_virtual_server
- Network: 0.0.0.0
- Pool: default_gateway_pool
- SNAT: Automap
Pool: Default_gateway_pool
-members: 10.10.10.1 & 20.20.20.1
Floating Self ip:
- 10.10.10.5
- 20.20.20.5
- 30.30.30.5
Virtual Server
- Ip: 10.10.10.100
- Pool: webserver
- Disabled
Virtual Server
- Ip: 20.20.20.100
- Pool: webserver
- Disabled
Pool: webserver
- node: 30.30.30.100
- no monitors on pool or members.
I am seeing some interesting traffic via TCPdump:
- Using TCPdump on the external vlans; I am seeing traffic from both external self ips (10.10.10.5 and 20.20.20.5) to the virtual servers 10.10.10.100 & 20.20.20.100 with a variety of ports (I assume this due to SNAT).
- TCPDump does not show the destination host traffic on the internal vlan.
- Found “Inet port exhaustion on 20.20.20.5 to 20.20.20.100:445 proto 6” in the local traffic log.
- Found “Inet port exhaustion on 10.10.10.5 to 10.10.10.100:1433 proto 6” in the local traffic log.
The monitors I do have defined are monitoring the internal ips 30.30.30.x, It appears that the Bigip is generating this traffic but I do not see why? Any insight would be great…
hoolioCirrostratus
Hi Robert,
Can you clarify what you're testing and what problems you're encountering? Also, when you note "disabled" for the virtual servers, do you mean the VIP is disabled?
If you're seeing port exhaustion on the self IP address, you might consider adding more floating self IP addresses on the VLANs the issue is occurring on.
Aaron
robert_blair_75Aaron,
Yes the virtual server is disabled, I am trying to understand why I am seeing traffic from the external self ips (10.10.10.5 and 20.20.20.5) to an external virtual server 10.10.10.100. I am not monitoring anything related to the vip/pool.
Thanks ...- hoolioDo you have clients originating traffic through a SNAT to the virtual servers? I'd guess this might be web server to app VIP type traffic. You could check the connection table using 'b conn all show all' to see who the clients are.
Aaron - robert_blair_75Clients do not access via SNAT (External ->Inbound Wide IP->Virtual Server)
Here is a sampling of the connection information:
VIRTUAL any:any <-> NODE 10.10.10.100:microsoft-ds TYPE any
CLIENTSIDE 20.20.20.5:52364 <-> 10.10.10.100:microsoft-ds
(pkts,bits) in = (4, 400) out = (2, 120)
SERVERSIDE 20.20.20.5:52592 <-> 10.10.10.100:microsoft-ds
(pkts,bits) in = (2, 120) out = (4, 400)
PROTOCOL tcp UNIT 1 IDLE 118 (300) LASTHOP 4091 00:15:63:aa:b1:48
VIRTUAL any:any <-> NODE 20.20.20.100:microsoft-ds TYPE any
CLIENTSIDE 10.10.10.5:13476 <-> 20.20.20.100:microsoft-ds
(pkts,bits) in = (4, 365) out = (2, 120)
SERVERSIDE 10.10.10.5:13708 <-> 20.20.20.100:microsoft-ds
(pkts,bits) in = (2, 120) out = (4, 365)
PROTOCOL tcp UNIT 1 IDLE 155 (300) LASTHOP 4092 00:23:04:4e:fc:80
It appears the source port is random (due to snat automap) but the destination port is always microsoft-ds or netbios-ssn. It cycles through all of the virtual servers, even if they are disabled and do not have a wide ip defined to them. I assume the only traffic with the floating self-ip as the source should be originating from a different Vlan like the internal Vlan but I never see the destination host on the internal Vlan via TCPdump.
If this was external traffic, I should see the external source ip. Currently this is generating allot of connections.
Thanks … - hoolioIf you look at the full 'b conn all show all' output, do you see any client IP addresses who have a source port the same as one of the self IP connections? For example, from your last post, was there another connection also from port 52364?
Aaron - robert_blair_75Hopefully I am answering your question correctly, I searched the output for port 52364 as an example.
It appears that 52364 is only being used as a source port from both self ip
CLIENTSIDE 10.10.10.5:52364 <-> 20.20.20.142:microsoft-ds
CLIENTSIDE 10.10.10.5:52364 <-> 10.10.10.169:2967
CLIENTSIDE 20.20.20.5:52364 <-> 20.20.20.144:135
SERVERSIDE 10.10.10.5:52364 <-> 20.20.20.144:135
CLIENTSIDE 20.20.20.5:52364 <-> 10.10.10.145:2967
CLIENTSIDE 20.20.20.5:52364 <-> 20.20.20.142:microsoft-ds
SERVERSIDE 10.10.10.5:52364 <-> 20.20.20.142:microsoft-ds
SERVERSIDE 10.10.10.5:52364 <-> 10.10.10.145:2967
CLIENTSIDE 10.10.10.5:52364 <-> 10.10.10.145:2967
SERVERSIDE 20.20.20.5:52364 <-> 10.10.10.145:2967
CLIENTSIDE 20.20.20.5:52364 <-> 10.10.10.150:microsoft-ds
SERVERSIDE 20.20.20.5:52364 <-> 10.10.10.147:microsoft-ds
CLIENTSIDE 20.20.20.5:52364 <-> 10.10.10.147:microsoft-ds
SERVERSIDE 10.10.10.5:52364 <-> 10.10.10.150:microsoft-ds
CLIENTSIDE 10.10.10.5:52364 <-> 10.10.10.150:microsoft-ds
SERVERSIDE 20.20.20.5:52364 <-> 10.10.10.150:microsoft-ds
CLIENTSIDE 10.10.10.5:52364 <-> 20.20.20.144:135
"B conn all show all" display all current connections ?
Thanks … - The_BhattmanYes. However, be aware that there is a limitation which are fixed on certain software branches and others still remain
You can find more details by going to ask.f5.com
https://support.f5.com/kb/en-us/solutions/public/6000/500/sol6573.html
CB - hoolioThat's still quite curious. So you have GTM running in the environment? Is it an LTM/GTM combo or separate units?
Aaron - robert_blair_75This is a pair of 9.4.8 LTM running High Availability.
Thanks ... - robert_blair_75Aaron
I will open a case, thanks for your help and will let you know what happens.
Thanks ...
