Forum Discussion

AndyBaba's avatar
AndyBaba
Icon for Altocumulus rankAltocumulus
Feb 24, 2022

Outgoing ICMP & DNS queries to public IP

Hey all

i have 2 internet facing f5 ltm, I am seeing my f5 which has public IP on self ip is sending icmp queries & dns queries to public IP on internet. When we did a basic traffic capture, we see there is no response received for icmp & dns query. f5 ltm is configured for internal dns server & runs 13.1.4.1. 

Could somebody guide what can be done to find why big-ip self-ip (company public IP) is sending icmp & dns query to public IP on internet.

BIG-IP
LTM
security
  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Feb 24, 2022

    Hi AndyBaba,

    Can you tell me if this is for the main system DNS lookup service (System -> Configuration -> Device -> DNS) or is this for a DNS service referenced by a LTM pool?

    You might consider checking out the article about management routing here: https://support.f5.com/csp/article/K13284

    There is also an article that discusses scenarios where the traffic may appear to originate from the wrong interface: https://support.f5.com/csp/article/K10239 

    Another feature that could be in play is the DNS Resolver feature which if memory serves will primarily use TMM interfaces to pass traffic instead of the management interface: https://support.f5.com/csp/article/K12140128 

    My first bet would be a routing table issue, you should verify that piece first and make sure that a route exists to your internal IP.

    Thanks,
    Josh Becigneul

     

    • AndyBaba's avatar
      AndyBaba
      Icon for Altocumulus rankAltocumulus
      Mar 04, 2022

      Hi JoshBecigneul 

      Thank you for the articles. It doesn't add up to any of the resolutions mentioned in them

      In our LTM, i see the problem of LTM sending ICMP echo request & DNS query at same time public IP - which we dont recognize. The pattern of public IP keeps changing. And I believe, since our Firewall may have restriction - the responses are not received on F5.

      We are trying to find why LTM is sendig queries out.

       

       

       

       

      • JoshBecigneul's avatar
        JoshBecigneul
        Icon for MVP rankMVP
        Mar 04, 2022

        Hi AndyBaba, i think you might be best to open a ticket with F5 Support to see if they can assist. Otherwise I'd suggest reviewing all pool memberships related to this, as well as check the virtual servers SNAT settings. Depending on how those are set, it could influence which source IPs get used. There are also services on the F5, like Phone Home that may need to make connections to the F5 cloud if they are enabled. https://support.f5.com/csp/article/K15000

        Thanks.