For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

robert_blair_75's avatar
robert_blair_75
Icon for Nimbostratus rankNimbostratus
Nov 05, 2009

Monitoring Traffic?

I am running Big-ip 9.4.8

 

 

Setup:

 

 

ExternalA network:

 

- 10.10.10.0/24

 

ExternalB network:

 

- 20.20.20.0/24

 

Internal network:

 

- 30.30.30.0/24

 

 

Default_gateway_virtual_server

 

- Network: 0.0.0.0

 

- Pool: default_gateway_pool

 

- SNAT: Automap

 

 

Pool: Default_gateway_pool

 

-members: 10.10.10.1 & 20.20.20.1

 

 

Floating Self ip:

 

- 10.10.10.5

 

- 20.20.20.5

 

- 30.30.30.5

 

 

Virtual Server

 

- Ip: 10.10.10.100

 

- Pool: webserver

 

- Disabled

 

 

Virtual Server

 

- Ip: 20.20.20.100

 

- Pool: webserver

 

- Disabled

 

 

Pool: webserver

 

- node: 30.30.30.100

 

- no monitors on pool or members.

 

 

I am seeing some interesting traffic via TCPdump:

 

 

- Using TCPdump on the external vlans; I am seeing traffic from both external self ips (10.10.10.5 and 20.20.20.5) to the virtual servers 10.10.10.100 & 20.20.20.100 with a variety of ports (I assume this due to SNAT).

 

- TCPDump does not show the destination host traffic on the internal vlan.

 

- Found “Inet port exhaustion on 20.20.20.5 to 20.20.20.100:445 proto 6” in the local traffic log.

 

- Found “Inet port exhaustion on 10.10.10.5 to 10.10.10.100:1433 proto 6” in the local traffic log.

 

 

The monitors I do have defined are monitoring the internal ips 30.30.30.x, It appears that the Bigip is generating this traffic but I do not see why? Any insight would be great…

 

management
monitoring

14 Replies

Show More
  • robert_blair_75's avatar
    robert_blair_75
    Icon for Nimbostratus rankNimbostratus
    Nov 18, 2009
    I had a default gateway virtual server (0.0.0.0:0) enabled on all vlans. The fix was to enable the virtual server only on the internal vlan. Otherwise the external traffic was being natted.

     

     

    Thanks for your help.

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 18, 2009
    So why were the self IP's connecting to VIPs? I assume that was the backside of a connection. But what was initiating the connection and why wasn't it showing in the connection table?

     

     

    Aaron
  • robert_blair_75's avatar
    robert_blair_75
    Icon for Nimbostratus rankNimbostratus
    Nov 18, 2009
    I ran (2) tcpdumps:

     

     

    - 1 for filtering on the destination and excluding the LTM self ip.

     

    - 2 for all traffic.

     

     

    Once I notice traffic on the 1st tcpdump, I stopped the 2nd one and then searched for port the snat address was using.

     

    I discovered the source of the traffic was external and once it hit the LTM it was natted.

     

     

    The traffic destination services was for netbios, dns, etc. Since the destination virtual server would not accept this type of traffic the default gateway virtual server (0.0.0.0:0) accepted the traffic and natted the address.

     

     

    The virtual server was disabled so I think the traffic was bouncing back and forth between the self ip and virtual server.

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 19, 2009
    Interesting... thanks for the info. That was an odd one.

     

     

    Aaron