nPath Triggering Router Intrusion Detection

Question

Hi All, 
&nbsp;  
&nbsp; We've recently deployed a pair of BIG-IP 1600's in a redundant configuration in front of our corporate web site. Since then, we've discovered several customers using Billion (http://au.billion.com/) modems, are having the website blocked by the Intrusion Detection built into their router. 
&nbsp;  
&nbsp; The web servers were previously running under a DSR configuration behind a pair of Foundry ServerIron's (very old, and unstable), so nPath was the best solution for us in the short term, until we had time to properly design and deploy a separate VLAN for F5 powered hardware. 
&nbsp;  
&nbsp; What the customers are seeing is something like: 
&nbsp; Aug 26 18:31:38 home.gateway:firewall:info: 1524.121 Intrusion TCP FIN scan(17) 
&nbsp;  
&nbsp; Last week we created a new Fast L4 profile with the following configuration options changed from the default: 
&nbsp; - Idle Timeout: 120 seconds 
&nbsp; - Loose Initiation: Off 
&nbsp; - Loose Close: On 
&nbsp; - TCP Close Timeout: 120 seconds 
&nbsp;  
&nbsp; These changes were based on some old F5 documentation we found which described nPath in more detail. Following these changes, users are now seeing the following errors: 
&nbsp;  
&nbsp; Intrusion TCP reset scan(18) 
&nbsp;  
&nbsp; So, it would seem that we've gone from one set of problems to another. 
&nbsp;  
&nbsp; Has anyone else encountered similar problems? Do you have any solution that would rectify this issue? 
&nbsp;  
&nbsp; Thanks in advance.

hooleylist · Answer

It might help to have an idea of what the exact problem is before trying to modify the LTM configuration.  You might try contacting billion to get details on the message.  Here are a few related posts found searching for that log message: 
&nbsp;  
&nbsp; TCP FIN? 
&nbsp; http://www.dslreports.com/forum/remark,604069 
&nbsp;  
&nbsp; Google cache of a billion's forum post: 
&nbsp; http://209.85.229.132/search?q=cache:sbdNFyQ9nPMJ:au.billion.com/forums/index.php%3Fshowtopic%3D9643+Intrusion+TCP+FIN+scan%2817%29&amp;cd=1&amp;hl=en&amp;ct=clnk&amp;gl=uk 
&nbsp;  
&nbsp; If this is caused by the server (or LTM) sending a FIN after the connection has already been closed, you might consider disabling Loose Close on the FastL4 profile.  This is a stab in the dark as I'm not sure what triggers the error. 
&nbsp;  
&nbsp; Aaron

nom_55811 · Answer

Hey Guys, 
&nbsp;  
&nbsp; I have found some reference to something which may resolve this, however I can't find the information which is referred to.  I found this snippet in the "BIG-IP® Reference Guide version 4.2": 
&nbsp;  
&nbsp;  
&nbsp; Finally, you can prevent a virtual server from sending a TCP reset 
&nbsp; when a connection is timed out. For more information, see the Virtual 
&nbsp; Servers section in Chapter 4, Configuring the High-Level Network.  
&nbsp; &nbsp; 
&nbsp;  
&nbsp; However, after reading Chapter 4 forwards, and backwards, I can't see anything referring to how to disable this.  Does anyone know which setting this is referring to? 
&nbsp;  
&nbsp; Thanks

Forum Discussion

nPath Triggering Router Intrusion Detection

2 Replies

Recent Discussions

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

Related Content

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

SSL Orchestrator Advanced Use Cases: Integrating F5 Intrusion Prevention System (IPS)

Leveraging Ansible Rulebooks for Streamlined Event Triggers: Advantages and Benefits

High Performance Intrusion Prevention

Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection