Forum Discussion

Mark_Cloutier's avatar
Icon for Nimbostratus rankNimbostratus
Sep 26, 2018

Issue with NTP, odd tcpdump behavior

I have two new HA pairs of i5800s running version 13.1.1 and ntp isn't working. I know I may have firewall rules that have yet to be implemented, or not implemented properly, but in troubleshooting I found something odd in tcpdump behavior. If I run tcpdump -nni any port 123, I see packets going out (can't tell which interface) but they have a source ip of the non-floating self-ip on my internal vlan. However tcpdump -nni internal port 123 does not see those packets.... the internal vlan is assigned as an untagged vlan to a trunk that is also named internal, containing two 1 Gig interfaces, 1.2 and 1.4


From the tcpdump -nni any port 123 15:11:14.243324 IP > NTPv4, Client, length 48 out slot1/tmm0 lis= 15:11:14.243328 IP > NTPv4, Client, length 48 out slot1/tmm0 lis= 15:11:17.205098 IP > NTPv4, Client, length 48 out slot1/tmm0 lis= From tcpdump -nn1 internal port 123 [root@apm01-corp-DCNDH-EPVD-RI-US:Active:In Sync] config tcpdump -nni internal port 123 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on internal, link-type EN10MB (Ethernet), capture size 65535 bytes


3 Replies

  • More info, I removed the 1.4 interface from the trunk, added it to the internal vlan as an untagged interface and removed the internal trunk from the internal vlan. Now tcpdump -i 1.4 port 123 sees the traffic but tcpdump -i internal port 123 does not.... Maybe a bug?


  • further info, this works fine on an 4000s platform, but not on the i5800, something about interface bundling maybe? I'm not using any bundles, but wondering if it screws up the naming


  • There is a major hardware difference between a 4000 and i5800, as 2000/4000 don't have a switchboard.



    However, I don't think is the problem you are seen.


    Do you have route domains?


    Can you take the tcpdump with -s0 and nnn?


    Here are some helpful links:



    Latest versions of Wireshark have the F5 plugin integrated, you just need to enable. Save the capture to a file and open with the Wireshark.



    "Comment made 5 months ago by Jason Cohen F5 As of Wireshark 2.6 (rel. 4/24/2018) the f5ethtrailer is included as a built-in dissector. Wireshark 2.6.0 incorporated the 1.11b version of the dissector.



    It is disabled by default. To enable it, from the menu select "Anyalyze" : "Enabled Protocols...". Then search for f5ethtrailer and enable the dissector."