Symptoms
Firewall rules intended to restrict access to an APM daemon running on the BIG-IP system might incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321.
Impact
This may result in monitors incorrectly failing, and pool members incorrectly marked down. A packet capture of the monitor traffic will show the BIG-IP system receive a SYN/ACK from a pool member, and respond with an ICMP port unreachable error.
Conditions
This can occur even if a BIG-IP system is not provisioned for APM or SWG.
Workaround
As a workaround, add these iptables commands to the '/config/startup' script, and reboot the BIG-IP system (or manually run these commands once). These commands modify the firewall rule to prevent interference with monitoring:
/sbin/iptables -D INPUT -p tcp --dport 54321 -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -D INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m tcp --dport 54321 --tcp-flags ACK,SYN SYN -j REJECT --reject-with tcp-reset
Fix Information
Firewall rules no longer incorrectly interfere with TCP monitor traffic generated by the BIG-IP system on port 54321.
