Re: TCPDump on vEdge doesn't capture traffic

maverick0 · ‎12-27-2023

Hi Guys

I am troubleshooting NTP connectivity and a sync failure using TCPDUMP. When I run the tcpdump interface X/X options "dst ip X.X.X.X" or tcpdump vpn X options "dst ip X.X.X.X", I don't see any traffic being sent out to the NTP Server. The TCPDUMP is listening, but it doesn't capture any traffic. The SD-WAN Controllers and vEdge are running the software version 20.6.5.2. Does anyone here have any ideas why the TCPDUMP isn't working as expected?

MHM Cisco World · ‎12-27-2023

Can I see the config of vpn0 of vedge

MHM

maverick0 · ‎12-27-2023

Hi @MHM Cisco World

Here is the information.

vpn 0
dns 8.8.8.8 primary
interface ge0/0
description Interface
mtu 1504
no shutdown
!
interface ge0/1
description LAN
mtu 1504
no shutdown
!
interface ge0/1.200
description WAN
ip address X.X.X.X/29
nat
!
tracker tracker1
tunnel-interface
encapsulation ipsec
color custom1
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 X.X.X.X

MHM Cisco World · ‎12-27-2023

no allow-service ntp <- allow ntp and check again

MHM

Kanan Huseynli · ‎12-27-2023

Hi,

Based on provided information, NTP does not run under VPN0 tunnel interface. Enable it.

But if it does not work, then provide config for NTP server.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

maverick0 · ‎12-27-2023

Thank you for letting me know.

In this case where the NTP services is not allowed on the transport interface (VPN 0), the vEdge will not be able to synchronize the time using specific transport, is that correct?

MHM Cisco World · ‎12-27-2023

You are totally correct

MHM

Kanan Huseynli · ‎12-27-2023

If NTP is not allowed, then vEdge can not do NTP sync in underlay using VPN0 IP addresses. You still may have NTP over another VPN.

This "allow-service" command affects VPN0 underlay traffic only.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

maverick0 · ‎12-29-2023

Let me give you a heads up about the test.

The vEdge is running in CLI mode, I enabled the "allow-service ntp" on the transport interface, but the tcpdump still doesn't show any NTP's traffic generated by the router.

To troubleshoot, I decided to switch the vEdge to vManaged mode, configured the NTP server in the template, and pushed the configuration to the device. While the NTP synchronization was successful, the tcpdump still doesn't show any traffic.

Even tough the NTP issue has been resolved, the main issue persists. Is the NTP traffic flowing through a specific transport or service VPN?

Does anyone here have any ideas?

MHM Cisco World · ‎12-29-2023

Ntp server is where?

MHM

maverick0 · ‎12-29-2023

It's a public NTP server (200.160.0.8).

MHM Cisco World · ‎12-30-2023

vedge1# show ntp peer | tab

share this thanks
MHM

Kanan Huseynli · ‎12-30-2023

Is the NTP traffic flowing through a specific transport or service VPN?

Totally depends on your configuration. Can you share configuration from vManage or from CLI by "show running-config system ntp"?

Plus, how to you use tcpdump? on viptela CLI or in vshell? Which exact command do you type?

I checked in lab, it works:

tcpdump -p -i ge0_0 -s 128 host 1.1.1.1 -n in VPN 0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ge0_0, link-type EN10MB (Ethernet), snapshot length 128 bytes
12:37:32.477439 IP 172.20.1.1.123 > 1.1.1.1.123: NTPv4, Client, length 48
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

maverick0 · ‎12-30-2023

Here are the details you requested.

vEdge1# show run system ntp
system
ntp
parent
no enable
stratum 5
exit
server 200.160.0.8
version 4
exit
!

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

vEdge1#show ntp peer | tab

INDEX REMOTE REFID ST TYPE WHEN POLL REACH DELAY OFFSET JITTER
--------------------------------------------------------------------------------------------
1 +200.160.0.8 200.160.89.161 2 u 359 1024 377 11.262 1.405 0.105

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I'm running the tcpdump in the CLI because I don't have permission to run it in the vshell (This is a Cisco-hosted environment).

vEdge1# tcpdump vpn 0 interface ge0/1.200 options "host 200.160.0.8"
## Error: "testbed" not defined
/usr/bin/vconfd_script_validate.sh: line 236: [: =: unary operator expected
tcpdump -p -i ge0_1.200 -s 128 host 200.160.0.8 in VPN 0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ge0_1.200, link-type EN10MB (Ethernet), capture size 128 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

MHM Cisco World · ‎12-30-2023

server 200.160.0.8
vpn0
version 4

since the Server is have public IP then you need to use VPN0
MHM

TCPDump on vEdge doesn't capture traffic

Intelligent Capture にて AP Stats Capture の Specific を選択できない

Bidirectional packet capture for vEdge

IP Traffic Export - Packet Capture

Wireshark以外でのpacket capture(Windows)

回复：【TAC分享】Collect expressway packet capture via Root Account

TCPDump on vEdge doesn't capture traffic

Intelligent Capture にて AP Stats Capture の Specific を選択できない

Bidirectional packet capture for vEdge

IP Traffic Export - Packet Capture

Wireshark以外でのpacket capture(Windows)

回复： 【TAC分享】Collect expressway packet capture via Root Account

回复：【TAC分享】Collect expressway packet capture via Root Account