Forum Discussion

Mark_Cloutier's avatar
Mark_Cloutier
Icon for Nimbostratus rankNimbostratus
Sep 26, 2018

Issue with NTP, odd tcpdump behavior

I have two new HA pairs of i5800s running version 13.1.1 and ntp isn't working. I know I may have firewall rules that have yet to be implemented, or not implemented properly, but in troubleshooting I found something odd in tcpdump behavior. If I run tcpdump -nni any port 123, I see packets going out (can't tell which interface) but they have a source ip of the non-floating self-ip on my internal vlan. However tcpdump -nni internal port 123 does not see those packets.... the internal vlan is assigned as an untagged vlan to a trunk that is also named internal, containing two 1 Gig interfaces, 1.2 and 1.4

 

From the tcpdump -nni any port 123 15:11:14.243324 IP 172.31.1.86.21857 > 192.168.251.50.123: NTPv4, Client, length 48 out slot1/tmm0 lis= 15:11:14.243328 IP 172.31.1.86.26767 > 192.168.251.52.123: NTPv4, Client, length 48 out slot1/tmm0 lis= 15:11:17.205098 IP 172.31.1.86.29537 > 10.11.73.31.123: NTPv4, Client, length 48 out slot1/tmm0 lis= From tcpdump -nn1 internal port 123 [root@apm01-corp-DCNDH-EPVD-RI-US:Active:In Sync] config tcpdump -nni internal port 123 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on internal, link-type EN10MB (Ethernet), capture size 65535 bytes

 

application delivery
BIG-IP

3 Replies

Sort By
  • Mark_Cloutier's avatar
    Mark_Cloutier
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2018

    More info, I removed the 1.4 interface from the trunk, added it to the internal vlan as an untagged interface and removed the internal trunk from the internal vlan. Now tcpdump -i 1.4 port 123 sees the traffic but tcpdump -i internal port 123 does not.... Maybe a bug?

     

  • Mark_Cloutier's avatar
    Mark_Cloutier
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2018

    further info, this works fine on an 4000s platform, but not on the i5800, something about interface bundling maybe? I'm not using any bundles, but wondering if it screws up the naming

     

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Sep 26, 2018

    There is a major hardware difference between a 4000 and i5800, as 2000/4000 don't have a switchboard.

     

    https://support.f5.com/csp/article/K14686

     

    However, I don't think is the problem you are seen.

     

    Do you have route domains?

     

    Can you take the tcpdump with -s0 and nnn?

     

    Here are some helpful links:

     

    https://support.f5.com/csp/article/K411 https://support.f5.com/csp/article/K13637 https://support.f5.com/csp/article/K6546

     

    Latest versions of Wireshark have the F5 plugin integrated, you just need to enable. Save the capture to a file and open with the Wireshark.

     

    https://devcentral.f5.com/d/wireshark-plugin

     

    "Comment made 5 months ago by Jason Cohen F5 As of Wireshark 2.6 (rel. 4/24/2018) the f5ethtrailer is included as a built-in dissector. Wireshark 2.6.0 incorporated the 1.11b version of the dissector.

     

    https://www.wireshark.org/news/20180424.html

     

    It is disabled by default. To enable it, from the menu select "Anyalyze" : "Enabled Protocols...". Then search for f5ethtrailer and enable the dissector."