Hello,

I am facing an interesting situation where a Firepower with the ASA module is passing a part of a communication only. This is very strange for me and I have no idea what can cause this issue. The situation is that we have let's say a server - client model,  where a client is asking for a data from the server over a port TCP/2000. Client (10.248.224.9) is behind the ingress interface of the capture and server (10.248.187.36) is behind the egress interface of the capture. Client is connected wired, server wireless. So the client initiates a 3-way handshake which is successful and can be seen on both interfaces (ingress and egress). The client initiates a connection many times using random different source ports. Then a server continuously sends a data over the tcp port 2000, client acknowledges that. Most of the packets sent by the server are 200 bytes of data with a PSH flag set. It can be seen that a firewall merges this and sends it as bigger packets - what i understand is due to the PSH flag and is to effectively use a tcp window.

What the strange is, that on the ingress interface, there is a lot of communication missing. There are connections where only a 3-way handshake and reset can be seen, as well as connections where only a part of data is present. On the egress interface, all the communication can be seen - even the acks from the client which is acknowledging a traffic which was not present on the ingress interface.

It seems this is application specific, but does anyone have an idea what can the root cause be?

I am attaching captures as well.

Many thanks for any advice.

Martin