tcpdump and vlan filter
Hi, I have setup (BIG-IP 11.2.0HF7 VE on ESX 5.1) with int_vlan (interface 1.2) configured as tagged (VLAN ID 350) connected to VMnet set with 4095 ID (so trunk type). W2K8 has interface configured with VLAN ID 350 as well. When using: tcpdump -ni 1.2 -v -e 'vlan 350' no traffic is captured tcpdump -ni 1.2 -v -e 'host 10.128.30.100' - IP of W2K8 interface, I can see correct tags in captured packets 16:40:07.086904 00:50:56:a9:86:30 > 00:50:56:a9:3b:eb, ethertype 802.1Q (0x8100), length 78: vlan 350, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 616, offset 0, flags [none], proto: ICMP (1), length: 60) 10.128.30.100 > 10.128.30.239: ICMP echo request, id 3, seq 20827, length 40 tcpdump -ni 1.2 -v -e | grep 'vlan 350' - this one is correctly displaying packets with my VLAN Am I doing something wrong or vlan filter is not working for v11.2.0? I tried as well advanced filter like that: tcpdump -ni 1.2 -v -e 'ether[14:2] & 4095 == 350' (as advised in K2289) but result is the same. Piotr
Decrypting SSL traffic - PMS and egress
Hi - two questions combined. Background - trying to catch and decipher tcpdump both for Client -> VIP and F5-> Pool Members traffic I'm following this tutorial:Decrypt with tcpdump --f5 ssl I managed to catch the frontend traffic, but I'm struggling with creating the PMS key. I want to automate it using the provided wireshark cmd command, but I get the error: C:\Program Files\Wireshark: invalid option -- 'T' C:\Program Files\Wireshark: invalid option -- 'e' I'm using Wireshark 3.4.8 - what would be the equivalent options for my version? Unfortunately using a Linux in this environment is out of the question. I can only work on Windows stepping stone and can't send the captures to my PC Second issue: Catching the backend traffic does not produce the F5 TLS in the pcap capture... The server ssl profile is present, but I have no idea how to force the --f5 ssl option in tcpdump to catch the keys. Will appreciate any advice - It is my second day struggling with the issue
TACAS not working - No TACACS packets in TCPDUMP
Hi, I have problem with user authentication over TACACS on BIG-IP 12.0 HF2 (Virtual edition). I configured TACACS, add host routes for TACACS server over MGMT interface, all according to config guide, but it is not workin. There is no packets in TCP dump. I tried TCPDUMP over all interfaces, also with command tcpdump -nni 0.0 port 49 but there is no any packet in trace. In log there are messages May 25 16:30:30 f5-04-1 warning httpd[14928]: pam_unix(httpd:auth): check pass; user unknown May 25 16:30:30 f5-04-1 notice httpd[14928]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=10.24.131.4 May 25 16:30:33 f5-04-1 err httpd[14928]: [error] [client 10.24.131.4] AUTHCACHE PAM: user 'xxx' - not authenticated: Authentication failure, referer: https://localhost:15443/tmui/login.jsp?msgcode=1& May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016"). May 25 16:30:33 f5-04-1 info httpd(pam_audit)[14928]: 01070417:6: AUDIT - user xxx - RAW: httpd(pam_audit): User=xxx tty=(unknown) host=10.24.131.4 failed to login after 1 attempts (start="Wed May 25 16:30:30 2016" end="Wed May 25 16:30:33 2016"). TACAS configuration: auth source { type tacacs } auth tacacs system-auth { encryption disabled protocol ip secret $M$DF$/p4kusJntSq1Ydp41sLeZCOA/SrorObenISS/2pX08k= servers { 192.168.134.206 10.51.10.68 } service ppp } Management routes configuration: sys management-route default { description configured-statically gateway 10.24.131.1 mtu 1500 network default } sys management-route TACACS-1 { gateway 10.24.131.1 network 192.168.134.206/32 } sys management-route TACACS-2 { gateway 10.24.131.1 network 10.51.10.68/32 } Any suggestions?How do I decrypt pcaps from the selfIP to Pool members for health monitor traffic?
I can apply and irule and decrypt pcaps for a conversation with a cleint to virtual server and the server-side, but cannot find any documentation on how to get the Pre Master Secret keys for a health monitor conversation.APM VPN Clients - DNS Resolution Failing Intermittently
Hi all, I've run into an issue with my remote users who are getting intermittent connection problems which seems to be related to DNS resolution failing. They're a mix of Windows 7 and Windows 10 clients and there doesn't seem to be a pattern for it, sooner or later connectivity will fail due to DNS. Interestingly, when the VPN is disconnected, this problem still remains and either rebooting the machine or resetting the TCP/IP stack will bring it back to life (resetting the TCP/IP stack tends to work more often than a reboot). The event sometimes causes client machines to completely freeze too. From a client machine earlier, I couldn't perform resolution against either the DNS servers configured in my Network Access profile or the DNS server configured from the local DSL router (which may not be relevant as I believe nslookup doesn't work with the Relay Proxy Service?) However, using Google DNS as the query, DNS resolution worked fine. IP connectivity is not impacted whatsoever, i can still ping the DNS servers configured on the client, and I can still access resources using the IP instead of the fqdn. I recently upgraded my BIG-IP cluster to version 14.1.2 (from 14.0.0.2) but this hasn't seemed to do anything unfortunately, and i've also asked my users to try using the SSL webvpn instead of the Edge Client (which should be a compatible version), but the issue persists. My Network Access policy is configured as (and i'm forcing all traffic through the tunnel): IPv4 Primary Name Server: 10.x.x.x IPv4 Secondary Name Server: 10.x.x.x Primary WINS SERVER: 10.x.x.x DNS Default Domain Suffix: mydomain@company.com Enforce DNS search order: Enabled I've changed the DNS Relay Proxy Service in windows to automatically recover if it stops/fails (but I don't believe it does stop anyway). I'm also in the process of checking the hotfixes installed against my machine (which never seems to have a problem) and other client machines. Any suggestions on how to fix this would be greatly appreciated!
TCPDUMP capture for Performance Virtual Server
Hi Team, We are having issue with VIP which is configured with Performance(Layer 4) Virtual Server. Issue: Application hosted on back-end server is not accessible through VIP. but when we directly try to access the backend server from internal network.. they are able to access.. Observation: We suspect that return route from back end server.. we are not sure whether next-hop gateway for route in server is floating IP on f5 or Firewall IP (L3) . That we yet to check WITH server team...(not getting response from back server team).. Meanwhile What I thought is that I can do tcpdump capture on LTM for Performance(Layer 4) Virtual Server (VIP) and try to see something i can find in it. Do I need to capture tcpdump between Client IP and Backend Server.? or between client IP and VIP IP..? I am unable to understand how to capture the tcpdump for connection flow because tcp session flow for Performance(Layer 4) Virtual Server is different that standard virtual server..? please help me
SSLDUMP "OpenSSL: decryption enabled." meaning..
I was playing with SSLDUMP in our lab-F5. I tried the Below command to capture some SSL Traffic. "SSLDUMP -r /path/xxx.pcap -i (interface) -dn host x.x.x.x". As a Result I got below message, "ssldump 0.9b3 Copyright (C) 1998-2001 RTFM, Inc. All rights reserved. Compiled with OpenSSL: decryption enabled" Does this mean, that I have enabled Decryption for the URL? I need to know what does this mean, so that I do not make same mistake on Production. Please help me providing clarification for the message.
