nmap port scanner shows open ports when destination is to a VS on the front end

Question

Our security team run scans for vlunerability and he doesn't them from the public internet. It was noticed that based on the image the Big-IP does respond differently but for all images the nmap scan returns all ports scanned as open. &nbsp;I've see responses about similar scans but from the inside but I noticed that on our most recent image, the packets from Scans doesn't reach the front end interface of the Big-IP for this specific VS. Instead it receives only an ACK then on the next packet it receives a RST. &nbsp;Trying to figure out why did the responses change from earlier image and why the latest image upgrade recommended by F5 shows the same issue when open ports are scanned from the public Internet.&nbsp;Kindly advise.

nikoolayy1 · Answer

1.Check the distination ports of your virtual servers as they can be listening to all ports:&nbsp;https://support.f5.com/csp/article/K6018&nbsp;&nbsp;2.Also if the F5 vip is with "Loose Initiation and Loose Close " this means that any client packets is accepted without 3 way handshake&nbsp;https://support.f5.com/csp/article/K13558&nbsp;&nbsp;&nbsp;3.you mention RST to see if the F5 is returning the RST enable special logging https://support.f5.com/csp/article/K13223 and you may do nnnp tcpdump https://support.f5.com/csp/article/K13637. Also check if nmap is not triggering syn cookie protection https://support.f5.com/csp/article/K74451051#syn-cookie-status&nbsp;&nbsp;&nbsp;

Forum Discussion

Tyler - May 2026 Featured Member

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

Recent Discussions

version 21.1 ACME setup for certificate renewal with Digicert

F5 BIGIP & XC certbot plugin

Use F5 APM as Forward Proxy

Question about source persistence across traffic group

OpenID Connect as Client and Resource server

Related Content

BotPoke Scanner Switches IP

Remove alerts showing r-series LCD/Dashboard.

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Destination address at F5

Nessus 6 XSLT Conversion for ASM Generic Scanner Import

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS