Forum Discussion

gof5's avatar
gof5
Icon for Altostratus rankAltostratus
Feb 09, 2021

ltm shows only half session in tcpdump

hi,

i have a situation where tcpdump on BIG-IP only shows traffic hitting the VIP(the 3-way handshake) but nothing between the LTM <-> back end server.As a result tcpdump on firewall after the BIG-IP shows no traffic hitting the actual back end server. There is SNAT in place to hide the Source IP on BIG-IP.If there is no traffic that appears in tcpdump between LTM<-> back end server could it be because somewhere between the two the routing for the SNAT IP is not in place? and hence the LTM doesn't bother to send the traffic to the server?

any help is appreciated.

thanks.

4 Replies

  • Hi too,

    You can run a tcpdump that contains both client-side and server-side traffic using the p switch.

    An example would be:

    tcpdump -i 0.0:nnnp host <VS_ipAddress> -w /shared/tmp/somefile.cap

    Also see this KB article for more details: K20233108: Running the tcpdump utility using the p interface modifier

    Or you did that tcpdump already and you still don't see any attempt to send traffic to any pool member?

    Are health monitors OK, showing green? Can you observe traffic from the health monitors or did you try to curl / telnet to the pool members?

    KR

    Daniel

    • gof5's avatar
      gof5
      Icon for Altostratus rankAltostratus

      Hi Daniel,

      thanks for the prompt reply. what you have suggested is not something i have done yet. as i read through the article it says to follow caution when using the "p" switch? is it that heavy on the box to run tcpdump with that switch? in that case i might need to do it after hours maybe. yes the health monitors are all green. the tcpdump i did earlier was using the curl command though.

      thanks.

      • I think that practically every article on that matter will mention that you should be careful when you run tcpdump on a busy box. I don't know whether your box is busy or not, but here are some hints.

        You can run tcpdump -D. This will output a list of all available interfaces. You could use the corresponding interface from the list, instead of using 0.0. Example:

        Also you should filter as precisely as possible and combine filters. In the following example I filter for host IP and port.

        Also in this example I use tcpdump -n to disable name resolution of host names. Example:

        tcpdump -ni external host 10.100.200.50 and port 80

        And if you are really not sure, whether running a tcpdump will be too heavy for your box during daytime... Yes, running it after hours might be better.

  • gof5's avatar
    gof5
    Icon for Altostratus rankAltostratus

    thanks. i will organise tester to be able to run the tcpdump as per the suggestions.