cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Outgoing ICMP & DNS queries to public IP

AndyBaba
Nimbostratus
Nimbostratus

Hey all

i have 2 internet facing f5 ltm, I am seeing my f5 which has public IP on self ip is sending icmp queries & dns queries to public IP on internet. When we did a basic traffic capture, we see there is no response received for icmp & dns query. f5 ltm is configured for internal dns server & runs 13.1.4.1. 

Could somebody guide what can be done to find why big-ip self-ip (company public IP) is sending icmp & dns query to public IP on internet.

3 REPLIES 3

Hi @AndyBaba,

Can you tell me if this is for the main system DNS lookup service (System -> Configuration -> Device -> DNS) or is this for a DNS service referenced by a LTM pool?

You might consider checking out the article about management routing here: https://support.f5.com/csp/article/K13284

There is also an article that discusses scenarios where the traffic may appear to originate from the wrong interface: https://support.f5.com/csp/article/K10239 

Another feature that could be in play is the DNS Resolver feature which if memory serves will primarily use TMM interfaces to pass traffic instead of the management interface: https://support.f5.com/csp/article/K12140128 

My first bet would be a routing table issue, you should verify that piece first and make sure that a route exists to your internal IP.

Thanks,
Josh Becigneul

 

Hi @JoshBecigneul 

Thank you for the articles. It doesn't add up to any of the resolutions mentioned in them

In our LTM, i see the problem of LTM sending ICMP echo request & DNS query at same time public IP - which we dont recognize. The pattern of public IP keeps changing. And I believe, since our Firewall may have restriction - the responses are not received on F5.

We are trying to find why LTM is sendig queries out.

 

 

 

 

Hi @AndyBaba, i think you might be best to open a ticket with F5 Support to see if they can assist. Otherwise I'd suggest reviewing all pool memberships related to this, as well as check the virtual servers SNAT settings. Depending on how those are set, it could influence which source IPs get used. There are also services on the F5, like Phone Home that may need to make connections to the F5 cloud if they are enabled. https://support.f5.com/csp/article/K15000

Thanks.