I am newbie on F5 LTM, my problem, I just deleted a VS from the WEB interface, however, I notice in the FW logs, traffic coming from IP of this VS to other IP destinations, do you have any idea about this problem? Why do I still have traffic? maybe an ip gleaning problem ?
and in normal scenarios as I know, F5 doesn't send packet with VS IP as source at all, you have three options when F5 create new connection with backend server (Pool Members):-
1- you can use Auto Map and F5 will send packet with SRC IP of (Self IP "if Standalone" or Floating IP "if HA Peer") 2- or use SNAT Pool. 3- or Client IP source if you don't enable "SNAT"
so try to traceroute to IP you get in FW logs and check it place in your network.
Just want to add >>> Check your connection table in your Bigip use this command : tmsh show /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port> ( as described in this Article : https://my.f5.com/manage/s/article/K53851362) Note : Don't run this command withoud using filters the box may crash if you have huge amount of connection table entries. Use it as I have written above.
then :
If you see any existing connections for that virtual server , you should delete it from connection table. using this command : tmsh delete /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port>
and in normal scenarios as I know, F5 doesn't send packet with VS IP as source at all, you have three options when F5 create new connection with backend server (Pool Members):-
1- you can use Auto Map and F5 will send packet with SRC IP of (Self IP "if Standalone" or Floating IP "if HA Peer") 2- or use SNAT Pool. 3- or Client IP source if you don't enable "SNAT"
so try to traceroute to IP you get in FW logs and check it place in your network.
A virtual server is an IP address + Port, deleting a single virtual server doesn't necessarily mean that other virtual servers aren't still active for that IP address. Or, as @Mostafa_Elsayed pointed out, it could also be in use for snat traffic. Might search the configuration to see where else that IP address might be in use.
Alternatively, there were active connections on that virtual server, and it's possible the traffic is still active on a long lived connection even after it's removed from the configuration until the connections are terminated. I'm not 100% on that behavior for a deleted virtual server, but just something to investigate.
Just want to add >>> Check your connection table in your Bigip use this command : tmsh show /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port> ( as described in this Article : https://my.f5.com/manage/s/article/K53851362) Note : Don't run this command withoud using filters the box may crash if you have huge amount of connection table entries. Use it as I have written above.
then :
If you see any existing connections for that virtual server , you should delete it from connection table. using this command : tmsh delete /sys connection cs-server-addr <vs_ip> cs-server-port <vs_port>
@Poseidon1974 - If your post was solved it would be helpful to the community to select *Accept As Solution*. This helps future readers find answers more quickly and confirms the efforts of those who helped. Thanks for being part of our community. Lief
UPDATE: marked two answers as Solutions; the conversation looks to have wrapped up. - feel free to unselect if I am incorrect.
