NimbostratusOur network personnel have informed my that our non-production BigIP LTM is responding to ping requests of addresses that do not exist in our network.
Question: why is the BigIP responding any ping requests? Should it be routing the ICMP traffic through the to the hosts? Question: how can we stop the BigIP from responding to ping request to non-existing address?
CirrusIf it's responding to pings from addresses not on your network, then it sounds like your network guys may need to look at their ACLs... it sounds like there may be more to this issue than what is presented here.
Which addresses on your LTM are responding to pings? It is one of your virtual servers or the management interface? Regardless, you can firewall off any ICMP requests that hit the LTM.
NimbostratusActually, this is a known issue with BigIP:
sol15469: Loading the BIG-IP configuration from the command line may incorrectly enable ICMP Echo for virtual addresses
There are two solutions: 1.Disable ICMP Echo for a virtual address using the following command syntax: tmsh modify ltm virtual-address icmp-echo
Nimbostratus
Nimbostratusthe f5 can respond to pings for addresses it owns (Self-IP, SNAT, virtual IP addresses). I believe that it can respond to ICMP requests for networks that are defined in its virtual address list as well. If you have any network virtual servers (IP forwarding, fast-l4, etc.), verify that those network virtual addresses have ICMP disabled. Navigate to Local Traffic | Virtual Servers | Virtual Address List, click on the network address, and verify "ICMP Echo" is disabled. keep in mind, depending on the forwarding-vs configuration, this could prevent ICMP messages from being passed through to backend networks
NimbostratusThanks Shaggy; I will take that into consideration if I disable the ICMP echo. Brian
Nimbostratuswhat about hosts that do not exist ? We ran a vulnerability scan on subnets that sit on the F5, we received a reply from ips that are not on the subnet yet.
Employeewhat about hosts that do not exist ? We ran a vulnerability scan on subnets that sit on the F5, we received a reply from ips that are not on the subnet yet.
do you have network virtual server address with enabling arp and icmp-echo?
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual-address 192.168.0.0 all-properties
ltm virtual-address 192.168.0.0 {
address 192.168.0.0
app-service none
arp enabled
auto-delete true
connection-limit 0
description none
enabled yes
floating enabled
icmp-echo enabled
inherited-traffic-group false
mask 255.255.255.0
metadata none
partition Common
route-advertisement disabled
server-scope any
traffic-group traffic-group-1
unit 1
}
Noctilucentwhat about hosts that do not exist ? We ran a vulnerability scan on subnets that sit on the F5, we received a reply from ips that are not on the subnet yet.
do you have network virtual server address with enabling arp and icmp-echo?
root@(ve11b)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual-address 192.168.0.0 all-properties
ltm virtual-address 192.168.0.0 {
address 192.168.0.0
app-service none
arp enabled
auto-delete true
connection-limit 0
description none
enabled yes
floating enabled
icmp-echo enabled
inherited-traffic-group false
mask 255.255.255.0
metadata none
partition Common
route-advertisement disabled
server-scope any
traffic-group traffic-group-1
unit 1
}
it is actually a directly connected network and not a VIP subnet.
is there wildcard virtual server address (0.0.0.0/0)? are arp and icmp-echo enabled there?
it looks like the MAC is for the vlan on the F5 and not the physical interface on the F5
sol14513: MAC address assignment for interfaces, trunks, and VLANs (11.x)
https://support.f5.com/kb/en-us/solutions/public/14000/500/sol14513.html