Forum Discussion

goldberg_33306's avatar
goldberg_33306
Icon for Nimbostratus rankNimbostratus
Oct 10, 2012

Basic TCPDUMP Question

When I capture traffic on the "internal" and "external" interfaces, why do I see the same syn from the client on both interfaces? I know this is a basic feature within F5 LTM, but just looking for a technical explanation.

 

 

Thanks

 

5 Replies

  • have you seen this one?

     

     

    sol8082: Overview of TCP connection set-up for BIG-IP LTM virtual server types

     

    http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8082.html

     

     

    hope this helps.
  • Thanks for the link. It does explain a few things but for a standard virtual server, I don't see the syn (from the client) being re-used on the server end. Here is an example:

     

     

    tcpdump -i external -n host 101.20.17.25 and port 80

     

    12:03:59.218520 101.20.17.25.1287 > 101.20.17.100.80: S 19608494:19608494(0) win 8192 (DF)

     

     

    tcpdump -i internal -n host 101.20.17.25 and port 80

     

    12:03:59.218600 101.20.17.25.1287 > 192.19.20.1.80: S 19608494:19608494(0) win 8192 (DF)

     

     

    My client is 101.20.17.25 and my vip is 101.20.17.100. My pool member is 192.19.20.1

     

    I get that the vip translates the dest. to the pool member but where I'm confused is with the SYN being the same on the internal and external.

     

     

    Thanks for the help!
  • this is mine. tcpdump line (1) is client-side's sync and line (4) is server-side one.

    [root@ve10:Active] config  b virtual bar list
    virtual bar {
       pool foo
       destination 172.28.19.79:80
       ip protocol 6
    }
    [root@ve10:Active] config  b pool foo list
    pool foo {
       members 200.200.200.101:80 {}
    }
    
    [root@ve10:Active] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
    (1) 21:49:14.666797 IP 172.28.19.251.42625 > 172.28.19.79.80: S 4154211562:4154211562(0) win 5840 
    (2) 21:49:14.666837 IP 172.28.19.79.80 > 172.28.19.251.42625: S 335438378:335438378(0) ack 4154211563 win 4380 
    (3) 21:49:14.667754 IP 172.28.19.251.42625 > 172.28.19.79.80: . ack 1 win 46 
    (4) 21:49:14.667789 IP 172.28.19.251.42625 > 200.200.200.101.80: S 2841681353:2841681353(0) win 4380 
    (5) 21:49:14.668755 IP 200.200.200.101.80 > 172.28.19.251.42625: S 240397414:240397414(0) ack 2841681354 win 5792 
    (6) 21:49:14.668781 IP 172.28.19.251.42625 > 200.200.200.101.80: . ack 1 win 4380 
    
    
  • this is fastl4 profile (performance l4 virtual server).

    [root@ve10:Active] config  b virtual bar list
    virtual bar {
       pool foo
       destination 172.28.19.79:80
       ip protocol 6
       profiles fastL4 {}
    }
    [root@ve10:Active] config  b pool foo list
    pool foo {
       members 200.200.200.101:80 {}
    }
    
    [root@ve10:Active] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
    (1) 21:53:21.256902 IP 172.28.19.251.42626 > 172.28.19.79.80: S 4119262028:4119262028(0) win 5840 
    (2) 21:53:21.256957 IP 172.28.19.251.42626 > 200.200.200.101.80: S 4119262028:4119262028(0) win 5840 
    (3) 21:53:21.257660 IP 200.200.200.101.80 > 172.28.19.251.42626: S 427681894:427681894(0) ack 4119262029 win 5792 
    (4) 21:53:21.257675 IP 172.28.19.79.80 > 172.28.19.251.42626: S 427681894:427681894(0) ack 4119262029 win 5792 
    (5) 21:53:21.258752 IP 172.28.19.251.42626 > 172.28.19.79.80: . ack 1 win 46 
    (6) 21:53:21.258764 IP 172.28.19.251.42626 > 200.200.200.101.80: . ack 1 win 46