topic Re: Packet rate on inside and outside interface doesn't match in Network Security

Packet rate on inside and outside interface doesn't match

nikolamitev — Tue, 12 Mar 2019 00:14:04 GMT

Hi,

I am doing some pre-deployment testing with a ASA5585X and noticed that when I feed it a stream of SYN packets on the outside interface the measured traffic rate on the inside interface going out is about 10x the rate of the outside interface going in.

laptop --- ASA --- PC

I send 6k TCP SYN pkts at interface rate from the laptop targeted at PC. No packets are dropped by ACLs or policies and can be sniffed at the PC.

Show interface commands show:

sh int inside:

... ...

Traffic Statistics for "inside":

...

1 minute input rate 23 pkts/sec, 1303 bytes/sec

1 minute output rate 4454 pkts/sec, 820757 bytes/sec

sh int outside:

... ...

Traffic Statistics for "outside":

...

1 minute input rate 885 pkts/sec, 70847 bytes/sec

1 minute output rate 7 pkts/sec, 425 bytes/sec

I would expect that if 885 pkts/sec enter the firewall on the outside interface the same amount or less would exit it on the inside...?

Any clues as to why this is not the case? The paket rate is about 5x and the data rate is about 10x greater.

Cheers,

Nik

Packet rate on inside and outside interface doesn't match

Julio Carvajal — Sun, 28 Oct 2012 17:29:37 GMT

Hello Nikolamitev,

See what you mean and I do understand your question but lets start with the basic.

capture capout interface outside match ip host outside_host_pc host inside_global_pc

capture capin interface inside match ip host outside_host host inside_global_pc

After you generate a connection ( just one) do a show cap ( you should see same amount of traffic on both captures) if that is the case then it is something not related to our connection and we will need to work on a different capture.

Let me know if this was the case ( same amount of bytes on each capture)

Regards

Julio

Packet rate on inside and outside interface doesn't match

nikolamitev — Mon, 29 Oct 2012 10:25:07 GMT

Thanks for your reply Julio.

I did run a test similar to what you ask for before and I didn't find any differences. I ran it again exactly as you specified just in case and packets are identical - 1:1

I also tried making a single but more intensive connection, like in a large file transfer and that increases counters on both interfaces as expected.

It seems to me that it has to do with tcp intercept or a similar feature of the firewall. i believe I read somwhere recently that the firewall is doing some checks on the validity of the destinaton for new connections and I am inclined to ascribe the extra traffic to those checks. I am failing to find that passage though so I might well be wrong or have misunderstood something.

All my attempts to see the extra traffic in captures or tcpdump have been unsuccessful so far.

Packet rate on inside and outside interface doesn't match

nikolamitev — Mon, 29 Oct 2012 10:41:09 GMT

It might be worth adding that somewhat counterintuitively I am having to do those tests on a live VLAN and the setum is actually PC -- vlanX -- inside FW outside -- laptop (directly plugged into FW)

On vlanX there are a number of hosts and some loadbalancing and multicast traffic is creating a constant noise.

The below is the normal situation outside of any purposefully generated traffic.

Traffic Statistics for "outside":

...

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 6 pkts/sec, 388 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 0 bytes/sec

5 minute output rate 7 pkts/sec, 430 bytes/sec

5 minute drop rate, 0 pkts/sec

Traffic Statistics for "inside":

...

1 minute input rate 25 pkts/sec, 1258 bytes/sec

1 minute output rate 26 pkts/sec, 2916 bytes/sec

1 minute drop rate, 1 pkts/sec

5 minute input rate 25 pkts/sec, 1284 bytes/sec

5 minute output rate 26 pkts/sec, 2935 bytes/sec

5 minute drop rate, 1 pkts/sec

Re: Packet rate on inside and outside interface doesn't match

Julio Carvajal — Mon, 29 Oct 2012 16:22:51 GMT

Hello Nikolamitev,

Do the following capture

clear interface

capture capin interface inside circular-buffer

capture capout interface outside circular-buffer.

Then check for different traffic, let me know if you see something different, try to download them on wireshark

Regards,

Re: Packet rate on inside and outside interface doesn't match

nikolamitev — Tue, 30 Oct 2012 14:58:25 GMT

Thanks for your input Julio,

I seems it jogged my brains a bit and I think I figured out what the issue is. The firewall is configured to log to two syslog servers on the inside interface - turning off the syslogging brought the traffic graphs for the two interfaces in sync again.

Looks like the locally generated syslog traffic is filtered out of captures, as I did not see it in there.

Again, thanks for your time.

Nik

Re: Packet rate on inside and outside interface doesn't match

Julio Carvajal — Tue, 30 Oct 2012 16:32:45 GMT

Hello Nikolamitev,

Exactly Glad that we could resolved the issue.

Remember to rate all of the helpful posts ( If you do not know how to do it just let me know, I will let you know how)

Also if you do not have any other question please mark it as answered

Regards,

Julio