Nimbostratus
AltocumulusI have the same issue when we scan for open ports from the internet destined to one of the virtual servers IP on the front end of the load-balancer. we upgraded to 14.1.4 when this started happening again after the fix. pcap doesn't show any SYN or SYN/ACK packets but only ACK then followed by RST. It doesn't even go through for the 443 allow. I'm trying to understand from the answers above but can't grasp the whole picture. Also some say scanning is to the internal servers on the backend. Can anyone share the whole document/explanation? This False Positive creates concerns to security,
Cirrusfor us, it was an internal scan, not an external scan. What happened was we had SYN Cookie protection enabled on the profile for our Forwarding VS. This caused the F5 to challenge the SYNs from Discovery scans even though these IPs in some cases didn't even exist behind the F5 making the scanner tee these IP and Ports up for actual vulnerability checks. To top this off the F5 was trying to deal as it was a DoS attack and began consuming memory until it finally fell over. We disabled SYN Challenge Handling in the Fastl4 profile and this fixed our issue. Make sure that you don't have this enabled on your VIP and VLAN as it could do the same.
/jba