Forum Discussion
tcpdump flooded with failover packets
Hi,
I often have a problem with tcpdump on clustered devices. If I e.g. start a dump like this:
'tcpdump -ni 0.0:p host 192.168.1.1'
the terminal is flooded with messages like these every few microseconds:
13:20:56.003601 IP 1.1.1.2.44098 > 1.1.1.1.cap: failover_packet {
failover_packet_cluster_mgmt_ip ip_address 10.10.10.10
failover_packet_slot_id uword 0
failover_packet_state ulong 5
failover_packet_sub_state ulong 0
failover_packet_monitor_fault ulong 0
failover_packet_hop_cnt uword 2
failover_packet_peer_signal ulong 0
failover_packet_version ulong 2
failover_packet_msg_bits ulong 2
failover_packet_traffic_grp_score ulong 8386
failover_packet_device_load ulong 2
failover_packet_device_capacity ulong 0
failover_packet_traffic_group_load ulong 2
failover_packet_build_num ulong 3944176344
failover_packet_next_active ulong 1
failover_packet_traffic_grp string `/Common/traffic-group-1`
failover_packet_previous_active ulong 1
failover_packet_active_reason ulong 0
failover_packet_left_active_reason ulong 8
}
out slot1/tmm0 lis=
It's a little annoying, since with the 0.0:p I want to see the packet on client and server side (which SNAT-IP it uses, which member) - so the only possibility to get rid of it is to constantly exclude with grep -v
Am I doing something wrong about TCPdump?
Or is there any flag that disables these messages? Or is this due to a wrong configuration of the F5 itself? Or is it intended behavior?- honduras96Nimbostratus
Hi,
I have same issue.
Tried to take tcpdump only on internal and external interface avoiding HA interface. Tried also your command to aviod port 1026. Tried multiple combinations, but nothing works for me.
Command for taking dump in attachment was:
tcpdump -nni 0.0:nnnp -s0 host <VIP_IP> and not port 1026 -w /var/tmp/syslog.pcap -v
- crodriguezRet. Employee
you want to not capture port 1026 traffic. To do so, specify “not port 1026” in the tcpdump command. For example: 'tcpdump -ni 0.0:p host 192.168.1.1 and not port 1026’
- crodriguezRet. Employee
You are not doing anything wrong with your TCPDUMP; you're just capturing more data than you need to. Those packets you're seeing are the network failover "heartbeat" transmitted between devices in a sync-failover device group. If you would rather not see this traffic, then filter out UDP port 1026 on your TCPDUMP command. Or, better yet, filter for the protocol and ports you do want to see.
- Amresh008Nimbostratus
I get similar response even after limiting the traffic capture to port 1026.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com