Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

ltm shows only half session in tcpdump

gof5
Altostratus
Altostratus

‎09-Feb-2021 12:50

hi,

i have a situation where tcpdump on BIG-IP only shows traffic hitting the VIP(the 3-way handshake) but nothing between the LTM <-> back end server.As a result tcpdump on firewall after the BIG-IP shows no traffic hitting the actual back end server. There is SNAT in place to hide the Source IP on BIG-IP.If there is no traffic that appears in tcpdump between LTM<-> back end server could it be because somewhere between the two the routing for the SNAT IP is not in place? and hence the LTM doesn't bother to send the traffic to the server?

any help is appreciated.

thanks.

Labels:
0 Kudos
4 REPLIES 4

Daniel_Wolf
Nacreous
Nacreous

‎09-Feb-2021 13:27 - last edited on ‎04-Jun-2023 21:03 by Fog

Hi too,

You can run a tcpdump that contains both client-side and server-side traffic using the p switch.

An example would be:

tcpdump -i 0.0:nnnp host <VS_ipAddress> -w /shared/tmp/somefile.cap

Also see this KB article for more details: K20233108: Running the tcpdump utility using the p interface modifier

Or you did that tcpdump already and you still don't see any attempt to send traffic to any pool member?

Are health monitors OK, showing green? Can you observe traffic from the health monitors or did you try to curl / telnet to the pool members?

KR

Daniel

0 Kudos

gof5
Altostratus
Altostratus
In response to Daniel_Wolf

‎09-Feb-2021 13:57

Hi Daniel,

thanks for the prompt reply. what you have suggested is not something i have done yet. as i read through the article it says to follow caution when using the "p" switch? is it that heavy on the box to run tcpdump with that switch? in that case i might need to do it after hours maybe. yes the health monitors are all green. the tcpdump i did earlier was using the curl command though.

thanks.

0 Kudos

Daniel_Wolf
Nacreous
Nacreous
In response to gof5

‎09-Feb-2021 23:04 - last edited on ‎05-Jun-2023 23:04 by Fog

I think that practically every article on that matter will mention that you should be careful when you run tcpdump on a busy box. I don't know whether your box is busy or not, but here are some hints.

You can run tcpdump -D. This will output a list of all available interfaces. You could use the corresponding interface from the list, instead of using 0.0. Example:

0691T00000BV63RQAT.pngAlso you should filter as precisely as possible and combine filters. In the following example I filter for host IP and port.

Also in this example I use tcpdump -n to disable name resolution of host names. Example:

tcpdump -ni external host 10.100.200.50 and port 80

And if you are really not sure, whether running a tcpdump will be too heavy for your box during daytime... Yes, running it after hours might be better.

0 Kudos

gof5
Altostratus
Altostratus

‎10-Feb-2021 12:02

thanks. i will organise tester to be able to run the tcpdump as per the suggestions.

0 Kudos
Copyright © 2023 Khoros, LLC