I ran (2) tcpdumps:
- 1 for filtering on the destination and excluding the LTM self ip.
- 2 for all traffic.
Once I notice traffic on the 1st tcpdump, I stopped the 2nd one and then searched for port the snat address was using.
I discovered the source of the traffic was external and once it hit the LTM it was natted.
The traffic destination services was for netbios, dns, etc. Since the destination virtual server would not accept this type of traffic the default gateway virtual server (0.0.0.0:0) accepted the traffic and natted the address.
The virtual server was disabled so I think the traffic was bouncing back and forth between the self ip and virtual server.