Bug ID 1007909: Tcpdump with :p (peer flow) flag does not capture forwarded between TMMs

Last Modified: Dec 20, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2

Opened: Mar 31, 2021

Severity: 3-Major

Symptoms

When using tcpdump with the :p flag, it does not capture all packets that are processed by multiple TMMs.

Impact

Causes confusion since there will be packets missing from tcpdump captures.

Conditions

Traffic flows are handled by multiple TMMs, e.g., one of the following: -- 'preserve strict' set on virtual servers -- a CMP-demoted virtual server -- Service Provider (SP) DAG configured, but using custom mappings for some client IP addresses, or some traffic flows using VLANs without SPDAG configured.

Workaround

Use a packet capture filter to capture clientside and serverside flows directly, without relying on the peer flow flag (":p").

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips