Forum Discussion
11 Replies
If it's responding to pings from addresses not on your network, then it sounds like your network guys may need to look at their ACLs... it sounds like there may be more to this issue than what is presented here.
Which addresses on your LTM are responding to pings? It is one of your virtual servers or the management interface? Regardless, you can firewall off any ICMP requests that hit the LTM.
- Brian_Durkin_14Nimbostratus
Actually, this is a known issue with BigIP:
sol15469: Loading the BIG-IP configuration from the command line may incorrectly enable ICMP Echo for virtual addresses
There are two solutions: 1.Disable ICMP Echo for a virtual address using the following command syntax: tmsh modify ltm virtual-address icmp-echo
- upgrade the S/W to from 11.5.1 to 11.6.0.
- Brian_Durkin_14Nimbostratus
- upgrade the S/W to from 11.5.1 to 11.6.0.
- shaggyNimbostratus
the f5 can respond to pings for addresses it owns (Self-IP, SNAT, virtual IP addresses). I believe that it can respond to ICMP requests for networks that are defined in its virtual address list as well. If you have any network virtual servers (IP forwarding, fast-l4, etc.), verify that those network virtual addresses have ICMP disabled. Navigate to Local Traffic | Virtual Servers | Virtual Address List, click on the network address, and verify "ICMP Echo" is disabled. keep in mind, depending on the forwarding-vs configuration, this could prevent ICMP messages from being passed through to backend networks
- Brian_Durkin_14Nimbostratus
Thanks Shaggy; I will take that into consideration if I disable the ICMP echo. Brian
- pdiab_72047Nimbostratus
what about hosts that do not exist ? We ran a vulnerability scan on subnets that sit on the F5, we received a reply from ips that are not on the subnet yet.
- nitassEmployee
what about hosts that do not exist ? We ran a vulnerability scan on subnets that sit on the F5, we received a reply from ips that are not on the subnet yet.
do you have network virtual server address with enabling arp and icmp-echo?
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual-address 192.168.0.0 all-properties ltm virtual-address 192.168.0.0 { address 192.168.0.0 app-service none arp enabled auto-delete true connection-limit 0 description none enabled yes floating enabled icmp-echo enabled inherited-traffic-group false mask 255.255.255.0 metadata none partition Common route-advertisement disabled server-scope any traffic-group traffic-group-1 unit 1 }
- pdiab_72047Nimbostratusit is actually a directly connected network and not a VIP subnet. Why would F5 in the first place reply for a host that doesnt exist on that subnet and it looks like the MAC is for the vlan on the F5 and not the physical interface on the F5
- nitass_89166Noctilucent
what about hosts that do not exist ? We ran a vulnerability scan on subnets that sit on the F5, we received a reply from ips that are not on the subnet yet.
do you have network virtual server address with enabling arp and icmp-echo?
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual-address 192.168.0.0 all-properties ltm virtual-address 192.168.0.0 { address 192.168.0.0 app-service none arp enabled auto-delete true connection-limit 0 description none enabled yes floating enabled icmp-echo enabled inherited-traffic-group false mask 255.255.255.0 metadata none partition Common route-advertisement disabled server-scope any traffic-group traffic-group-1 unit 1 }
- pdiab_72047Nimbostratusit is actually a directly connected network and not a VIP subnet. Why would F5 in the first place reply for a host that doesnt exist on that subnet and it looks like the MAC is for the vlan on the F5 and not the physical interface on the F5
- nitassEmployee
it is actually a directly connected network and not a VIP subnet.
is there wildcard virtual server address (0.0.0.0/0)? are arp and icmp-echo enabled there?
it looks like the MAC is for the vlan on the F5 and not the physical interface on the F5
sol14513: MAC address assignment for interfaces, trunks, and VLANs (11.x)