Forum Discussion
goldberg_33306
Nimbostratus
NimbostratusBasic TCPDUMP Question
When I capture traffic on the "internal" and "external" interfaces, why do I see the same syn from the client on both interfaces? I know this is a basic feature within F5 LTM, but just looking for a technical explanation.
Thanks
5 Replies
- nitass
Employee
have you seen this one?
sol8082: Overview of TCP connection set-up for BIG-IP LTM virtual server types
http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html
hope this helps. 
goldberg_33306Thanks for the link. It does explain a few things but for a standard virtual server, I don't see the syn (from the client) being re-used on the server end. Here is an example:
tcpdump -i external -n host 101.20.17.25 and port 80
12:03:59.218520 101.20.17.25.1287 > 101.20.17.100.80: S 19608494:19608494(0) win 8192 (DF)
tcpdump -i internal -n host 101.20.17.25 and port 80
12:03:59.218600 101.20.17.25.1287 > 192.19.20.1.80: S 19608494:19608494(0) win 8192 (DF)
My client is 101.20.17.25 and my vip is 101.20.17.100. My pool member is 192.19.20.1
I get that the vip translates the dest. to the pool member but where I'm confused is with the SYN being the same on the internal and external.
Thanks for the help!- nitassthis is mine. tcpdump line (1) is client-side's sync and line (4) is server-side one.
[root@ve10:Active] config b virtual bar list virtual bar { pool foo destination 172.28.19.79:80 ip protocol 6 } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes (1) 21:49:14.666797 IP 172.28.19.251.42625 > 172.28.19.79.80: S 4154211562:4154211562(0) win 5840 (2) 21:49:14.666837 IP 172.28.19.79.80 > 172.28.19.251.42625: S 335438378:335438378(0) ack 4154211563 win 4380 (3) 21:49:14.667754 IP 172.28.19.251.42625 > 172.28.19.79.80: . ack 1 win 46 (4) 21:49:14.667789 IP 172.28.19.251.42625 > 200.200.200.101.80: S 2841681353:2841681353(0) win 4380 (5) 21:49:14.668755 IP 200.200.200.101.80 > 172.28.19.251.42625: S 240397414:240397414(0) ack 2841681354 win 5792 (6) 21:49:14.668781 IP 172.28.19.251.42625 > 200.200.200.101.80: . ack 1 win 4380 - nitassthis is fastl4 profile (performance l4 virtual server).
[root@ve10:Active] config b virtual bar list virtual bar { pool foo destination 172.28.19.79:80 ip protocol 6 profiles fastL4 {} } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes (1) 21:53:21.256902 IP 172.28.19.251.42626 > 172.28.19.79.80: S 4119262028:4119262028(0) win 5840 (2) 21:53:21.256957 IP 172.28.19.251.42626 > 200.200.200.101.80: S 4119262028:4119262028(0) win 5840 (3) 21:53:21.257660 IP 200.200.200.101.80 > 172.28.19.251.42626: S 427681894:427681894(0) ack 4119262029 win 5792 (4) 21:53:21.257675 IP 172.28.19.79.80 > 172.28.19.251.42626: S 427681894:427681894(0) ack 4119262029 win 5792 (5) 21:53:21.258752 IP 172.28.19.251.42626 > 172.28.19.79.80: . ack 1 win 46 (6) 21:53:21.258764 IP 172.28.19.251.42626 > 200.200.200.101.80: . ack 1 win 46 - goldberg_33306Great! Thanks for the info! This clears things up.
