Technical Tip: UDP packets OUT with source and destination port 0 displayed on sniffer trace on SLBC passive chassis

cskuan · ‎04-19-2019

Description
This article explains the UDP packets with src and dst port 0 observed on sniffer output on the worker blade at SLBC passive chassis.

Solution
When sniffing on worker blades on the “passive” chassis, observed many UDP packets with only OUT direction and both src and dst port 0.

Below are the examples of the sniffing output:

filters=[host 10.123.1.122 or host 10.129.9.61]
2016-03-15 10:27:23.227492 fctrl/Agg3 out 10.123.1.122.0 -> 10.123.1.124.0: udp 32
0x0000    0000 0000 0000 0009 0f9c 6d58 0800 4500    ..........mX..E.
...................

2016-03-15 10:27:23.227497 fctrl/Agg1 out 10.129.9.61.0 -> 10.123.1.122.0: udp 32
0x0000    0000 0000 0000 0009 0f9c 6d55 0800 4500    ..........mU..E.
...................

2016-03-15 10:27:41.230443 fctrl/Agg3 out 10.123.1.122.0 -> 10.123.1.124.0: udp 32
0x0000    0000 0000 0000 0009 0f9c 6d58 0800 4500    ..........mX..E.
...................

2016-03-15 10:27:41.230447 fctrl/Agg1 out 10.129.9.61.0 -> 10.123.1.122.0: udp 32
0x0000    0000 0000 0000 0009 0f9c 6d55 0800 4500    ..........mU..E.
...................

Note:
   -These are NOT forwarded “production” traffic.

   -These packets are special packets from worker blade (FortiGate) to the FortiController.

   -These packets are used to remote setup UDP session on FortiController.

For more details on how SLBC handles UDP packet, kindly refer to the guide here.