BIG-IQ CM 5.1 managing BIG-IP 11.6.1 makes several requests a minute to the BIG-IP REST API:
POST /mgmt/shared/inflate?em_server_ip=220.127.116.11&em_server_auth_token=[long token] HTTP/1.1
My questions are..
What is 18.104.22.168? It appears to belong to an ISP in Israel. It has nothing to do with our environment as far as I can tell.
Does everyone else's BIG-IQ CM do this too? You can check by running a capture like this on your BIG-IP for a few minutes, and loading it up in Wireshark:
tcpdump -i lo -s 0 -w /var/tmp/rest.pcap port 8100
And lastly, what is the /mgmt/shared/inflate REST endpoint? I can't find it documented.
same behaviour here. Hopefully someone can explain it
I opened a case about this and was told the following:
Regarding the 'em_server_ip=22.214.171.124' question, this is just a method that BigIQ implements to hash device group names into ipv4 addresses. That IP address does not correspond to any real communication - it's just a numeric hash of a string. Nothing to worry about, per our Engineering.
Thanks for the info!
I have a Big-IQ cluster on a lab environment and only appears traffic to localhost.
Hashing device group names into IPv4 addresses .. that's quite oddball, but this is BIG-IQ so I'll believe it :)
I'm still wondering what the POST /mgmt/shared/inflate endpoint does, and why BIG-IQ CM hits it repeatedly all day on all appliances. The behaviour is the same in 5.2.0.
@pponte The traffic itself is localhost to localhost because this is after it's been received by the management HTTPS server, and before it arrives at the iControl REST daemon. The odd IPv4 address is only in the query string of POST /mgmt/shared/inflate requests.