Forum Discussion

am_gli_287451's avatar
Icon for Nimbostratus rankNimbostratus
Jul 27, 2018

tcpdump flooded with failover packets


I often have a problem with tcpdump on clustered devices. If I e.g. start a dump like this:

'tcpdump -ni 0.0:p host'

the terminal is flooded with messages like these every few microseconds:

13:20:56.003601 IP > failover_packet {
   failover_packet_cluster_mgmt_ip ip_address
   failover_packet_slot_id uword 0
   failover_packet_state ulong 5
   failover_packet_sub_state ulong 0
   failover_packet_monitor_fault ulong 0
   failover_packet_hop_cnt uword 2
   failover_packet_peer_signal ulong 0
   failover_packet_version ulong 2
   failover_packet_msg_bits ulong 2
   failover_packet_traffic_grp_score ulong 8386
   failover_packet_device_load ulong 2
   failover_packet_device_capacity ulong 0
   failover_packet_traffic_group_load ulong 2
   failover_packet_build_num ulong 3944176344
   failover_packet_next_active ulong 1
   failover_packet_traffic_grp string `/Common/traffic-group-1`
   failover_packet_previous_active ulong 1
   failover_packet_active_reason ulong 0
   failover_packet_left_active_reason ulong 8
 out slot1/tmm0 lis=

It's a little annoying, since with the 0.0:p I want to see the packet on client and server side (which SNAT-IP it uses, which member) - so the only possibility to get rid of it is to constantly exclude with grep -v

Am I doing something wrong about TCPdump?

Or is there any flag that disables these messages?

Or is this due to a wrong configuration of the F5 itself?

Or is it intended behavior?

4 Replies

  • You are not doing anything wrong with your TCPDUMP; you're just capturing more data than you need to. Those packets you're seeing are the network failover "heartbeat" transmitted between devices in a sync-failover device group. If you would rather not see this traffic, then filter out UDP port 1026 on your TCPDUMP command. Or, better yet, filter for the protocol and ports you do want to see.


    • Amresh008's avatar
      Icon for Nimbostratus rankNimbostratus

      I get similar response even after limiting the traffic capture to port 1026.

  • you want to not capture port 1026 traffic. To do so, specify “not port 1026” in the tcpdump command. For example: 'tcpdump -ni 0.0:p host and not port 1026’

  • Hi,

    I have same issue.

    Tried to take tcpdump only on internal and external interface avoiding HA interface. Tried also your command to aviod port 1026. Tried multiple combinations, but nothing works for me.

    Command for taking dump in attachment was: 

    tcpdump -nni 0.0:nnnp -s0 host <VIP_IP> and not port 1026 -w /var/tmp/syslog.pcap -v