tcpdump and Forwarding (IP) Virtual Servers

Question

I can not figure out why tcpdump won't capture TCP packets, but can capture ICMP packets when accessing a node on an internal vlan through a Forwarding (IP) Virtual Server. I have tried both using the vlan name for the interface (i.e. tcpdump -ni internal1 host x.x.x.x), and 0.0 (i.e. tcpdump -ni 0.0 host x.x.x.x). When I ping I can see the incoming and response packets. However if I telnet to an open port, tcpdump displays nothing. 
  
 Anyone know why this is? 
  
 virtual vs_0_0_0_0_any { 
    destination any:any 
    ip forward 
    profile fastl4_vs_0_0_0_0_any 
 } 
  
 profile fastL4 fastl4_vs_0_0_0_0_any { 
    defaults from fastL4 
    idle timeout 7200 
 }

the_bhattman · Answer

Do you have ASIC turned on for vs_0_0_0_0? 
&nbsp;  
&nbsp; CB &nbsp;

hooleylist · Answer

For FastL4 VIPs, try running tcpdump on the interface number and not the VLAN name.  This is described in SOL6546.  The solution suggests disabling acceleration on the VIP, but using the interface number should work as well if the VIP doesn't have heavy load while you're tracing. 
&nbsp;  
&nbsp; SOL6546: Recommended methods and limitations for running tcpdump on a BIG-IP version system 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/6000/500/sol6546.html 
&nbsp;  
&nbsp; Limitations 
&nbsp;  
&nbsp; The tcpdump utility runs on the Linux Host CPU, which does not receive PVA-accelerated traffic. Therefore, virtual server traffic that is fully accelerated by the PVA chip will not be captured by tcpdump. The PVA chip resides on the switchboard, between the BIG-IP system's switch subsystem and the host motherboard. 
&nbsp;  
&nbsp; Aaron

smp_86112 · Answer

Regarding PVA, it's a little strange: the VIP is using a FastL4 profile where the PVA Acceleration value is set to "Full", but the VIP properties it is displayed as "Assisted". So I'm not sure which value it is. 
&nbsp;  
&nbsp; But thank you so much for that SOL reference hoolio. I don't know why I could not find that doc myself. I did use the interface number and was able to get at least some of the packets. That combined with the doc addresses my question. 
&nbsp;  
&nbsp; Thanks again. This has been a problem which has bothered me for a loooong time...

the_bhattman · Answer

A combination of factors determine weather PVA will be honored, regardless of hard codding the setting. 
&nbsp;  
&nbsp; Please look at the following documentation regarding PVA 
&nbsp;  
&nbsp; https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4832.html 
&nbsp;  
&nbsp; I hope this helps 
&nbsp; CB 
&nbsp;  &nbsp;

smp_86112 · Answer

That was another really nice reference doc. Thanks CB.

Forum Discussion

tcpdump and Forwarding (IP) Virtual Servers

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

8. SYN Cookie: Troubleshooting tcpdump

Decrypting TLS with the tcpdump sslprovider

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire

Tcpdump Capture