OPERATIONAL DEFECT DATABASE
...
...
Firewall rules intended to restrict access to an APM daemon running on the BIG-IP system might incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321.
This may result in monitors incorrectly failing, and pool members incorrectly marked down. A packet capture of the monitor traffic will show the BIG-IP system receive a SYN/ACK from a pool member, and respond with an ICMP port unreachable error.
This can occur even if a BIG-IP system is not provisioned for APM or SWG.
As a workaround, add these iptables commands to the '/config/startup' script, and reboot the BIG-IP system (or manually run these commands once). These commands modify the firewall rule to prevent interference with monitoring: /sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable /sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
Firewall rules no longer incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321.
Click on a version to see all relevant bugs
F5 Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
