For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

itxali_313821's avatar
itxali_313821
Icon for Altocumulus rankAltocumulus
Apr 24, 2017
Solved

Server port not accessible from F5

Hi Gurus,   We have specific service running on server with port 3010 I can able to ping that server from F5 CLI, Telnet that server on port 22, 80 to check these service port accessible. After ve...
application delivery
BIG-IP
  • itxali_313821's avatar
    itxali_313821
    Apr 27, 2017

    Thanks all for your help, actually issue was on Firewall there was policy which allows only ping, http & ssh traffic.

     

    My F5 management IP was 10.11.5.x/24 network, server was in 10.11.1.x/24 network so I was tracing on firewall using source IP F5 (10.11.5.x) destination server IP (10.11.1.x) I was getting no trace logs so I thought traffic was not blocked by firewall.

     

    After more troubleshooting, I enabled tcpdump on server in (10.11.1.x) network, so I came to know F5 was doing NAT when forwarding its traffic. Like 10.11.5.x network was NATTed to 10.11.3.x network, this was not allowed on firewall. After enabling this network for 3010 port on firewall it worked.

     

    Thanks all my concept was source and destination IP's never change util unless it is NATTED, still looking how F5 is NATTING its management IP from 10.11.5 to 10.11.3.

     

    Thanks.

     

itxali_313821's avatar
itxali_313821
Icon for Altocumulus rankAltocumulus
Apr 27, 2017

Thanks all for your help, actually issue was on Firewall there was policy which allows only ping, http & ssh traffic.

 

My F5 management IP was 10.11.5.x/24 network, server was in 10.11.1.x/24 network so I was tracing on firewall using source IP F5 (10.11.5.x) destination server IP (10.11.1.x) I was getting no trace logs so I thought traffic was not blocked by firewall.

 

After more troubleshooting, I enabled tcpdump on server in (10.11.1.x) network, so I came to know F5 was doing NAT when forwarding its traffic. Like 10.11.5.x network was NATTed to 10.11.3.x network, this was not allowed on firewall. After enabling this network for 3010 port on firewall it worked.

 

Thanks all my concept was source and destination IP's never change util unless it is NATTED, still looking how F5 is NATTING its management IP from 10.11.5 to 10.11.3.

 

Thanks.

 

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Apr 27, 2017

Hi,

 

Management IP will be source of the traffic for dst IP in subnet not directly attached only if it has default gateway configured and if there is no SelfIP in dst subnet or if there is no route set in Networking section of the GUI for this subnet.

 

In any other case proper VLAN SelfIP will be used.

 

So there is chance that one of Self IP was used, probably because of route configured or because default gateway is configured to point to IP reachable via SelfIP in 10.11.3.0/24 subnet.

 

Piotr