Forum Discussion

DarioGB_339840's avatar
DarioGB_339840
Icon for Altostratus rankAltostratus
May 28, 2018

Unknown flow from my F5

Hello folks!

I have noticed an unknown traffic in my lab enviroment from my F5 Self IP to one of my backend servers (internal VLAN).

  • SRC IP: 10.130.40.3 (F5 self-IP)
  • SRC PORT: random
  • DST IP: 10.130.40.192 (my zabbix server)
  • DST PORT: 443 (https)

-

 list net self | grep self
net self 10.130.40.5 {
net self 10.130.41.5 {
net self 10.130.40.3 {
net self 10.130.41.3 {
net self 1.1.1.1 {

I was trying to figure out why this traffic is generated (every 2 seconds) but i didn't find the root of this flow

Anyone could help me?

1.- I have checked all monitors involved, but nothing related to HTTPS.

 list ltm pool monitor
ltm pool JuniperSSL {
    monitor gateway_icmp
}
ltm pool Krennic_IMAP {
    monitor tcp
}
ltm pool Krennic_POP {
    monitor tcp
}
ltm pool Krennic_SMTP {
    monitor tcp
}
ltm pool Kylo_Ren {
    monitor tcp
}
ltm pool WebServer {
    monitor http
}
ltm pool syslog_pool {
    monitor none
}
ltm pool zabbix {
    monitor gateway_icmp
}
ltm pool zabbix_https {
    monitor gateway_icmp
}

2.- I have checked established conns but there is no info about this flow

 show sys connection

Really display all connections? (y/n) y
Sys::Connections
10.130.40.3:34687  10.130.40.192:8  10.130.40.3:34687  10.130.40.192:8  icmp  3  (tmm: 3)  none
10.130.40.3:34688  10.130.40.2:8  10.130.40.3:34688  10.130.40.2:8  icmp  4  (tmm: 0)  none
1.1.1.2:50726      1.1.1.1:1026   1.1.1.2:50726      1.1.1.1:1026   udp   0  (tmm: 0)  none
10.130.40.3:34684  10.130.40.2:8  10.130.40.3:34684  10.130.40.2:8  icmp  14  (tmm: 0)  none
10.130.40.3:34683  10.130.40.192:8  10.130.40.3:34683  10.130.40.192:8  icmp  13  (tmm: 3)  none
1.1.1.1:52137      1.1.1.2:1026     1.1.1.1:52137      1.1.1.2:1026     udp   0   (tmm: 3)  none
10.130.40.3:34685  10.130.40.192:8  10.130.40.3:34685  10.130.40.192:8  icmp  8  (tmm: 1)  none
10.130.40.3:34686  10.130.40.2:8  10.130.40.3:34686  10.130.40.2:8  icmp  9  (tmm: 2)  none
Total records returned: 8

3-. I have sniff traffic using ":nnnp" noise amplifier but no VIP info is related (so traffic is exclusively generated in my F5)

4-. I have used "losf" and "netstat" commands but there is no info related about TMM traffic (so they are unuseful).

I would like to know which process or config may be responsible of this traffic. Any help?

Thanks in advance.

KR, Dario

application delivery
BIG-IP
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    May 28, 2018

    Hi Dario,

     

    First of, Just to be sure can you remove the monitor in the pool or all pool using the following node

     

    DST IP: 10.130.40.192 (my zabbix server) DST PORT: 443 (https)

     

    if the flow continue, it's not due to the monitor...

     

    Regards,