Forum Discussion

robert_blair_75

Nimbostratus

Nov 05, 2009

Monitoring Traffic?

I am running Big-ip 9.4.8

Setup:

ExternalA network:

- 10.10.10.0/24

ExternalB network:

- 20.20.20.0/24

Internal network:

- 30.30.30.0/24

Default_gateway_virtual_server

- Network: 0.0.0.0

- Pool: default_gateway_pool

- SNAT: Automap

Pool: Default_gateway_pool

-members: 10.10.10.1 & 20.20.20.1

Floating Self ip:

- 10.10.10.5

- 20.20.20.5

- 30.30.30.5

Virtual Server

- Ip: 10.10.10.100

- Pool: webserver

- Disabled

Virtual Server

- Ip: 20.20.20.100

- Pool: webserver

- Disabled

Pool: webserver

- node: 30.30.30.100

- no monitors on pool or members.

I am seeing some interesting traffic via TCPdump:

- Using TCPdump on the external vlans; I am seeing traffic from both external self ips (10.10.10.5 and 20.20.20.5) to the virtual servers 10.10.10.100 & 20.20.20.100 with a variety of ports (I assume this due to SNAT).

- TCPDump does not show the destination host traffic on the internal vlan.

- Found “Inet port exhaustion on 20.20.20.5 to 20.20.20.100:445 proto 6” in the local traffic log.

- Found “Inet port exhaustion on 10.10.10.5 to 10.10.10.100:1433 proto 6” in the local traffic log.

The monitors I do have defined are monitoring the internal ips 30.30.30.x, It appears that the Bigip is generating this traffic but I do not see why? Any insight would be great…

management

monitoring

14 Replies

hooleylist
Cirrostratus
Nov 05, 2009
Hi Robert,

Can you clarify what you're testing and what problems you're encountering? Also, when you note "disabled" for the virtual servers, do you mean the VIP is disabled?

If you're seeing port exhaustion on the self IP address, you might consider adding more floating self IP addresses on the VLANs the issue is occurring on.

Aaron
robert_blair_75
Nimbostratus
Nov 05, 2009
Aaron,

Yes the virtual server is disabled, I am trying to understand why I am seeing traffic from the external self ips (10.10.10.5 and 20.20.20.5) to an external virtual server 10.10.10.100. I am not monitoring anything related to the vip/pool.

Thanks ...
hooleylist
Cirrostratus
Nov 06, 2009
Do you have clients originating traffic through a SNAT to the virtual servers? I'd guess this might be web server to app VIP type traffic. You could check the connection table using 'b conn all show all' to see who the clients are.

Aaron
robert_blair_75
Nimbostratus
Nov 09, 2009
Clients do not access via SNAT (External ->Inbound Wide IP->Virtual Server)

Here is a sampling of the connection information:

VIRTUAL any:any <-> NODE 10.10.10.100:microsoft-ds TYPE any

CLIENTSIDE 20.20.20.5:52364 <-> 10.10.10.100:microsoft-ds

(pkts,bits) in = (4, 400) out = (2, 120)

SERVERSIDE 20.20.20.5:52592 <-> 10.10.10.100:microsoft-ds

(pkts,bits) in = (2, 120) out = (4, 400)

PROTOCOL tcp UNIT 1 IDLE 118 (300) LASTHOP 4091 00:15:63:aa:b1:48

VIRTUAL any:any <-> NODE 20.20.20.100:microsoft-ds TYPE any

CLIENTSIDE 10.10.10.5:13476 <-> 20.20.20.100:microsoft-ds

(pkts,bits) in = (4, 365) out = (2, 120)

SERVERSIDE 10.10.10.5:13708 <-> 20.20.20.100:microsoft-ds

(pkts,bits) in = (2, 120) out = (4, 365)

PROTOCOL tcp UNIT 1 IDLE 155 (300) LASTHOP 4092 00:23:04:4e:fc:80

It appears the source port is random (due to snat automap) but the destination port is always microsoft-ds or netbios-ssn. It cycles through all of the virtual servers, even if they are disabled and do not have a wide ip defined to them. I assume the only traffic with the floating self-ip as the source should be originating from a different Vlan like the internal Vlan but I never see the destination host on the internal Vlan via TCPdump.

If this was external traffic, I should see the external source ip. Currently this is generating allot of connections.

Thanks …
hooleylist
Cirrostratus
Nov 09, 2009
If you look at the full 'b conn all show all' output, do you see any client IP addresses who have a source port the same as one of the self IP connections? For example, from your last post, was there another connection also from port 52364?

Aaron
robert_blair_75
Nimbostratus
Nov 09, 2009
Hopefully I am answering your question correctly, I searched the output for port 52364 as an example.

It appears that 52364 is only being used as a source port from both self ip

CLIENTSIDE 10.10.10.5:52364 <-> 20.20.20.142:microsoft-ds

CLIENTSIDE 10.10.10.5:52364 <-> 10.10.10.169:2967

CLIENTSIDE 20.20.20.5:52364 <-> 20.20.20.144:135

SERVERSIDE 10.10.10.5:52364 <-> 20.20.20.144:135

CLIENTSIDE 20.20.20.5:52364 <-> 10.10.10.145:2967

CLIENTSIDE 20.20.20.5:52364 <-> 20.20.20.142:microsoft-ds

SERVERSIDE 10.10.10.5:52364 <-> 20.20.20.142:microsoft-ds

SERVERSIDE 10.10.10.5:52364 <-> 10.10.10.145:2967

CLIENTSIDE 10.10.10.5:52364 <-> 10.10.10.145:2967

SERVERSIDE 20.20.20.5:52364 <-> 10.10.10.145:2967

CLIENTSIDE 20.20.20.5:52364 <-> 10.10.10.150:microsoft-ds

SERVERSIDE 20.20.20.5:52364 <-> 10.10.10.147:microsoft-ds

CLIENTSIDE 20.20.20.5:52364 <-> 10.10.10.147:microsoft-ds

SERVERSIDE 10.10.10.5:52364 <-> 10.10.10.150:microsoft-ds

CLIENTSIDE 10.10.10.5:52364 <-> 10.10.10.150:microsoft-ds

SERVERSIDE 20.20.20.5:52364 <-> 10.10.10.150:microsoft-ds

CLIENTSIDE 10.10.10.5:52364 <-> 20.20.20.144:135

"B conn all show all" display all current connections ?

Thanks …
The_Bhattman
Nimbostratus
Nov 09, 2009
Yes. However, be aware that there is a limitation which are fixed on certain software branches and others still remain

You can find more details by going to ask.f5.com

https://support.f5.com/kb/en-us/solutions/public/6000/500/sol6573.html

CB
hooleylist
Cirrostratus
Nov 09, 2009
That's still quite curious. So you have GTM running in the environment? Is it an LTM/GTM combo or separate units?

Aaron
robert_blair_75
Nimbostratus
Nov 09, 2009
This is a pair of 9.4.8 LTM running High Availability.

Thanks ...
robert_blair_75
Nimbostratus
Nov 10, 2009
Aaron

I will open a case, thanks for your help and will let you know what happens.

Thanks ...