10-25-2012 08:19 AM - edited 03-11-2019 05:14 PM
Hi,
I am doing some pre-deployment testing with a ASA5585X and noticed that when I feed it a stream of SYN packets on the outside interface the measured traffic rate on the inside interface going out is about 10x the rate of the outside interface going in.
laptop --- ASA --- PC
I send 6k TCP SYN pkts at interface rate from the laptop targeted at PC. No packets are dropped by ACLs or policies and can be sniffed at the PC.
Show interface commands show:
sh int inside:
... ...
Traffic Statistics for "inside":
...
1 minute input rate 23 pkts/sec, 1303 bytes/sec
1 minute output rate 4454 pkts/sec, 820757 bytes/sec
sh int outside:
... ...
Traffic Statistics for "outside":
...
1 minute input rate 885 pkts/sec, 70847 bytes/sec
1 minute output rate 7 pkts/sec, 425 bytes/sec
I would expect that if 885 pkts/sec enter the firewall on the outside interface the same amount or less would exit it on the inside...?
Any clues as to why this is not the case? The paket rate is about 5x and the data rate is about 10x greater.
Cheers,
Nik
Solved! Go to Solution.
10-30-2012 09:32 AM
Hello Nikolamitev,
Exactly Glad that we could resolved the issue.
Remember to rate all of the helpful posts ( If you do not know how to do it just let me know, I will let you know how)
Also if you do not have any other question please mark it as answered
Regards,
Julio
10-28-2012 10:29 AM
Hello Nikolamitev,
See what you mean and I do understand your question but lets start with the basic.
capture capout interface outside match ip host outside_host_pc host inside_global_pc
capture capin interface inside match ip host outside_host host inside_global_pc
After you generate a connection ( just one) do a show cap ( you should see same amount of traffic on both captures) if that is the case then it is something not related to our connection and we will need to work on a different capture.
Let me know if this was the case ( same amount of bytes on each capture)
Regards
Julio
10-29-2012 03:25 AM
Thanks for your reply Julio.
I did run a test similar to what you ask for before and I didn't find any differences. I ran it again exactly as you specified just in case and packets are identical - 1:1
I also tried making a single but more intensive connection, like in a large file transfer and that increases counters on both interfaces as expected.
It seems to me that it has to do with tcp intercept or a similar feature of the firewall. i believe I read somwhere recently that the firewall is doing some checks on the validity of the destinaton for new connections and I am inclined to ascribe the extra traffic to those checks. I am failing to find that passage though so I might well be wrong or have misunderstood something.
All my attempts to see the extra traffic in captures or tcpdump have been unsuccessful so far.
10-29-2012 03:41 AM
It might be worth adding that somewhat counterintuitively I am having to do those tests on a live VLAN and the setum is actually PC -- vlanX -- inside FW outside -- laptop (directly plugged into FW)
On vlanX there are a number of hosts and some loadbalancing and multicast traffic is creating a constant noise.
The below is the normal situation outside of any purposefully generated traffic.
Traffic Statistics for "outside":
...
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 6 pkts/sec, 388 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 7 pkts/sec, 430 bytes/sec
5 minute drop rate, 0 pkts/sec
Traffic Statistics for "inside":
...
1 minute input rate 25 pkts/sec, 1258 bytes/sec
1 minute output rate 26 pkts/sec, 2916 bytes/sec
1 minute drop rate, 1 pkts/sec
5 minute input rate 25 pkts/sec, 1284 bytes/sec
5 minute output rate 26 pkts/sec, 2935 bytes/sec
5 minute drop rate, 1 pkts/sec
10-29-2012 09:22 AM
Hello Nikolamitev,
Do the following capture
clear interface
capture capin interface inside circular-buffer
capture capout interface outside circular-buffer.
Then check for different traffic, let me know if you see something different, try to download them on wireshark
Regards,
10-30-2012 07:58 AM
Thanks for your input Julio,
I seems it jogged my brains a bit and I think I figured out what the issue is. The firewall is configured to log to two syslog servers on the inside interface - turning off the syslogging brought the traffic graphs for the two interfaces in sync again.
Looks like the locally generated syslog traffic is filtered out of captures, as I did not see it in there.
Again, thanks for your time.
Nik
10-30-2012 09:32 AM
Hello Nikolamitev,
Exactly Glad that we could resolved the issue.
Remember to rate all of the helpful posts ( If you do not know how to do it just let me know, I will let you know how)
Also if you do not have any other question please mark it as answered
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide