Forum Discussion

Sarah_258804's avatar
May 09, 2016

Can I change the default ephemeral ports that the F5 uses for health monitoring?

Currently I see that my F5 is reaching out to the servers in my server pools on low ephemeral ports for health monitoring. For example, I have a health monitor for DNS so that the F5 reaches out to the DNS servers to ensure that DNS is working properly. The source port coming from the F5 has a huge range from sometimes 7000 up to 65535. We are trying to standardize the ephemeral ports used in our datacenter to use the standard Microsoft ephemeral ports, 49152 - 65535 for ACI filtering.

 

Can I manually change which ports the F5 uses to send requests on? I know we are currently doing this with Linux servers, so I'd like to do it with the F5s as well.

 

  • Same as you would on a linux host:

    echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range

    • Sarah_258804's avatar
      Sarah_258804
      Icon for Cirrus rankCirrus
      Hm, so I have found that after a reboot the port range went back to using 32768 - 61000. Furthermore, I'm seeing that the F5 monitors are reaching out on ports even lower than that (5612). [ Wed May 11 16:44:37 2016 830113 usecs]: Src IP: 10.251.12.3, Dst IP: 10.251.113.11, Src Port: 5929, Dst Port: 80, Src Intf: port-channel11 , Protocol: 6 The source IP from the F5 is it's own self-IP on a port-channel interface. I'm not sure if that matters, but could there be another location where it's pulling its own source port range?
    • ekaleido's avatar
      ekaleido
      Icon for Cirrus rankCirrus
      It should. And since you did the echo above, anytime it does reboot it will come back with the ephermeral range configured.
    • Sarah_258804's avatar
      Sarah_258804
      Icon for Cirrus rankCirrus
      That command took. And this will ensure that the F5 will start using only these ephemeral ports without the need of a reboot, correct?
  • Same as you would on a linux host:

    echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range

    • Sarah_258804's avatar
      Sarah_258804
      Icon for Cirrus rankCirrus
      Hm, so I have found that after a reboot the port range went back to using 32768 - 61000. Furthermore, I'm seeing that the F5 monitors are reaching out on ports even lower than that (5612). [ Wed May 11 16:44:37 2016 830113 usecs]: Src IP: 10.251.12.3, Dst IP: 10.251.113.11, Src Port: 5929, Dst Port: 80, Src Intf: port-channel11 , Protocol: 6 The source IP from the F5 is it's own self-IP on a port-channel interface. I'm not sure if that matters, but could there be another location where it's pulling its own source port range?
    • ekaleido_26616's avatar
      ekaleido_26616
      Icon for Cirrocumulus rankCirrocumulus
      It should. And since you did the echo above, anytime it does reboot it will come back with the ephermeral range configured.
    • Sarah_258804's avatar
      Sarah_258804
      Icon for Cirrus rankCirrus
      That command took. And this will ensure that the F5 will start using only these ephemeral ports without the need of a reboot, correct?