Forum Discussion

Fantas's avatar
Fantas
Icon for Nimbostratus rankNimbostratus
Oct 02, 2020

F5 Sending Traffic to Port 5051

Hi,

 

I have noticed on one of our f5 sending traffic to one of the internal server destination port 5051.

Captured wireshark , I noticed that traffic is initiated by f5 inside interface to server on destination port 5051.

 

Dont know why f5 inside interface is sending this traffic to server and I can also see GET request to server but how this traffic can be initiated by its inside interface.

6 Replies

  • why is it so odd the traffic comes from the internal interface? usually your servers are on the internal (lan / inside) interface right, or do you mean the management interface or such?

     

    there might be a route involved or some vip targetting vip. do you have a poolmember somewhere configured with port 5051?

  • Fantas's avatar
    Fantas
    Icon for Nimbostratus rankNimbostratus

    Hi,

     

    I have done packet capture on f5 and can see traffic initiated from inside interface for port 5051 for one of the destination sever. this port doesn't exist on f5 but still inside interface initiating traffic to one of the internal server.

     

    Initially I thought , f5 might be sending this traffic on behalf of other server that might have hit on f5 vip and its redirecting traffic but after capturing traffic i noticed that its initiated by inside interface/lan.

     

    No pool member configured with this port.

    • im still a little confused with you mean with initiated by the inside interface? how do you determine this, based on the IP address?

       

      how you done a tcpdump with the extra :nnn flags to see if you can find the possible associated virtual server?

       

      https://support.f5.com/csp/article/K13637

       

      can you share that output?

  • Fantas's avatar
    Fantas
    Icon for Nimbostratus rankNimbostratus

    Hi,

     

    Yes based on ip address, when I capture traffic based on port 5051 ( without mentioning source / destination hosts), I can see only inside interface ip as source and destination inside server ip , I can see GET request source inside interface to target server.

     

    wireshark capture shows , source ip and destination port and server details.

     

     

    • does the GET make any sense in your environment?

       

      it isn't just a health monitor or such?

    • Often if you open the last bytes of a packet, you'll see the virtual name at the end, see if this helps. But with nnn you should see more details. Try that too.