i have a situation where tcpdump on BIG-IP only shows traffic hitting the VIP(the 3-way handshake) but nothing between the LTM <-> back end server.As a result tcpdump on firewall after the BIG-IP shows no traffic hitting the actual back end server. There is SNAT in place to hide the Source IP on BIG-IP.If there is no traffic that appears in tcpdump between LTM<-> back end server could it be because somewhere between the two the routing for the SNAT IP is not in place? and hence the LTM doesn't bother to send the traffic to the server?
any help is appreciated.
09-Feb-2021 13:27 - last edited on 04-Jun-2023 21:03 by JimmyPackets
You can run a tcpdump that contains both client-side and server-side traffic using the p switch.
An example would be:
tcpdump -i 0.0:nnnp host <VS_ipAddress> -w /shared/tmp/somefile.cap
Also see this KB article for more details: K20233108: Running the tcpdump utility using the p interface modifier
Or you did that tcpdump already and you still don't see any attempt to send traffic to any pool member?
Are health monitors OK, showing green? Can you observe traffic from the health monitors or did you try to curl / telnet to the pool members?
thanks for the prompt reply. what you have suggested is not something i have done yet. as i read through the article it says to follow caution when using the "p" switch? is it that heavy on the box to run tcpdump with that switch? in that case i might need to do it after hours maybe. yes the health monitors are all green. the tcpdump i did earlier was using the curl command though.
09-Feb-2021 23:04 - last edited on 05-Jun-2023 23:04 by JimmyPackets
I think that practically every article on that matter will mention that you should be careful when you run tcpdump on a busy box. I don't know whether your box is busy or not, but here are some hints.
You can run tcpdump -D. This will output a list of all available interfaces. You could use the corresponding interface from the list, instead of using 0.0. Example:
Also you should filter as precisely as possible and combine filters. In the following example I filter for host IP and port.
Also in this example I use tcpdump -n to disable name resolution of host names. Example:
tcpdump -ni external host 10.100.200.50 and port 80
And if you are really not sure, whether running a tcpdump will be too heavy for your box during daytime... Yes, running it after hours might be better.