Unknown flow from my F5

Question

Hello folks!
I have noticed an unknown traffic in my lab enviroment from my F5 Self IP to one of my backend servers (internal VLAN).
SRC IP: 10.130.40.3 (F5 self-IP)SRC PORT: randomDST IP: 10.130.40.192 (my zabbix server)DST PORT: 443 (https)
-
 list net self | grep self
net self 10.130.40.5 {
net self 10.130.41.5 {
net self 10.130.40.3 {
net self 10.130.41.3 {
net self 1.1.1.1 {

I was trying to figure out why this traffic is generated (every 2 seconds) but i didn't find the root of this flow
Anyone could help me?

1.- I have checked all monitors involved, but nothing related to HTTPS.
 list ltm pool monitor
ltm pool JuniperSSL {
    monitor gateway_icmp
}
ltm pool Krennic_IMAP {
    monitor tcp
}
ltm pool Krennic_POP {
    monitor tcp
}
ltm pool Krennic_SMTP {
    monitor tcp
}
ltm pool Kylo_Ren {
    monitor tcp
}
ltm pool WebServer {
    monitor http
}
ltm pool syslog_pool {
    monitor none
}
ltm pool zabbix {
    monitor gateway_icmp
}
ltm pool zabbix_https {
    monitor gateway_icmp
}

2.- I have checked established conns but there is no info about this flow
 show sys connection

Really display all connections? (y/n) y
Sys::Connections
10.130.40.3:34687  10.130.40.192:8  10.130.40.3:34687  10.130.40.192:8  icmp  3  (tmm: 3)  none
10.130.40.3:34688  10.130.40.2:8  10.130.40.3:34688  10.130.40.2:8  icmp  4  (tmm: 0)  none
1.1.1.2:50726      1.1.1.1:1026   1.1.1.2:50726      1.1.1.1:1026   udp   0  (tmm: 0)  none
10.130.40.3:34684  10.130.40.2:8  10.130.40.3:34684  10.130.40.2:8  icmp  14  (tmm: 0)  none
10.130.40.3:34683  10.130.40.192:8  10.130.40.3:34683  10.130.40.192:8  icmp  13  (tmm: 3)  none
1.1.1.1:52137      1.1.1.2:1026     1.1.1.1:52137      1.1.1.2:1026     udp   0   (tmm: 3)  none
10.130.40.3:34685  10.130.40.192:8  10.130.40.3:34685  10.130.40.192:8  icmp  8  (tmm: 1)  none
10.130.40.3:34686  10.130.40.2:8  10.130.40.3:34686  10.130.40.2:8  icmp  9  (tmm: 2)  none
Total records returned: 8

3-. I have sniff traffic using ":nnnp" noise amplifier but no VIP info is related (so traffic is exclusively generated in my F5)

4-. I have used "losf" and "netstat" commands but there is no info related about TMM traffic (so they are unuseful).

I would like to know which process or config may be responsible of this traffic. Any help?
Thanks in advance.
KR,
Dario

youssef1 · Answer

Hi Dario,&nbsp;
First of, Just to be sure can you remove the monitor in the pool or all pool using the following node&nbsp;
DST IP: 10.130.40.192 (my zabbix server)
DST PORT: 443 (https)&nbsp;
if the flow continue, it's not due to the monitor...&nbsp;
Regards,&nbsp;

Forum Discussion

Unknown flow from my F5

1 Reply

Recent Discussions

F5 VE in Azure - troubles with Sentinel integration

Need help on i-rule to specific uri path

Stable Firmware for F5

BigIP Next - Health Monitors / Template

LDAPS and renegotiation

Related Content

SSL Client Certification Alert 46 Unknown CA

BigIP 5200 traffic flow

Mitigation of OWASP API Security Risk: Unrestricted Access to Sensitive Business Flows using F5 XC

Looking for a TMSH command to check traffic flow

Mitigating the Unknown