VSX tcpdump causes reboot

Juan_Concepcion · ‎2018-05-08

Appliance: 23800

Version R80.10 Jumbo Hotfix 56

Recently learned the hard way that running tcpdump causes the system to reboot - happened multiple times. At first we thought it was because we ran it without a filter so it overwhelmed the box, however, even with a filter after about a minute the box fails over.

Wondering if anyone has run into this??

P.S. Yes I've opened a case just reaching out to the general public see if anyone has experienced anything similar. This is impacting a very large deployment.

--Juan

XBensemhoun · ‎2018-05-09

Did you tried tcpdump on root context or on the desired one?

Did you tried fw monitor?

Information Security enthusiast, CISSP, CCSP

Juan_Concepcion · ‎2018-05-09

The fw monitor works without issue – with tcpdump doesn’t matter what context you run it from, after a minute or so the box reboots – no messaging or anything it’s rebooting your session just hangs.

--Juan

XBensemhoun · ‎2018-05-09

OK ; weird

I do not have the answer but I can surely recommend you to use fw monitor instead of tcpdump.

Note (if needed) that you can also export fw monitor trace files in Wireshark (refer to How to configure Wireshark for analysis of FW Monitor captures )

Also if needed: check What is FW Monitor?

Information Security enthusiast, CISSP, CCSP

Juan_Concepcion · ‎2018-05-09

tcpdump is useful in some scenarios as it captures traffic before the firewall kernel.

Thanks,

Juan Concepcion

VSX tcpdump causes reboot

Migration of existing Network Infra from Maestro s...

How to configure PPPoE as backup link is ISP Redun...

How to check CP FW ARP age timeout currently?

externally managed gateway sending logs to Private...

Enhanced MAC VLANs - Fortinet Competitive Query