Source port being changed when nothing else appears to be using the port

Question

I've got some devices (Infoblox DNS) which use OpenVPN UDP port 1194 to communicate. The devices expect the source and destination port to be 1194. On the devices that are behind my F5 10200v devices, every so often the VPN terminates and logs that the source port was different than 1194.&nbsp;
The traffic is routed through the F5 and I have a IP forwarding virtual server for UDP with a fastL4 profile set for idle timeout of 5 seconds, and loose initiate/loose close enabled. Source Port is set to Preseve, not Preserve Strict.&nbsp;
What I'm unclear about is why the port is getting changed in the first place. This occurred 8 times overnight, and in none of those instances was anything else communicating from or to UDP port 1194 at the same time (I've got a packet capture). This is a system that averages between 200,000 and 500,000 concurrent connections, but almost everything is TCP. TCP port 1194 is going to show up a lot as the source port for other routed traffic, but not between these Infoblox devices.&nbsp;
What I'd considered doing was creating a port 1194 IP forwarding virtual server and setting it to Preserve Strict. The documentation says if a collision occurs, it resets the client side connection. While that makes sense for TCP, I'm not really sure what it would do with a UDP connection.&nbsp;
Has anyone seen this behavior before?&nbsp;

brad_parker · Answer

Yes, we have seen similar with the new MSSQL availibility groups.  We did just as you suggest, create a forwadingIP UDP VS with preserve strict.  Since you are using a 5 second timeout you may benefit more from using stateless virtual servers for this UDP traffic, but you will need on for both directions of the traffic flow.&nbsp;
https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13675.html&nbsp;

brad_parker_139 · Answer

Yes, we have seen similar with the new MSSQL availibility groups.  We did just as you suggest, create a forwadingIP UDP VS with preserve strict.  Since you are using a 5 second timeout you may benefit more from using stateless virtual servers for this UDP traffic, but you will need on for both directions of the traffic flow.&nbsp;
https://support.f5.com/kb/en-us/solutions/public/13000/600/sol13675.html&nbsp;

benmgood36 · Answer

After reading this, I suppose I should have a stateless VS for 0.0.0.0/0 for UDP instead of IP forwarding. I followed the guidelines in https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html and set up a forwarding VS for TCP, UDP, and non-TCP/UDP with their own fastL4 profiles.

benmgood36 · Answer

After reading this, I suppose I should have a stateless VS for 0.0.0.0/0 for UDP instead of IP forwarding. I followed the guidelines in https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html and set up a forwarding VS for TCP, UDP, and non-TCP/UDP with their own fastL4 profiles.

Forum Discussion

Source port being changed when nothing else appears to be using the port

4 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Change admin account

He Who Defends Everything Defends nothing… Right?

Audit WAF changes

Change cookie domain in HTTP::respond

api token timeout change