Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
6
Helpful
6
Replies

Packet rate on inside and outside interface doesn't match

Go to solution
nikolamitev
Level 1
Level 1

‎10-25-2012 08:19 AM - edited ‎03-11-2019 05:14 PM

Hi,

I am doing some pre-deployment testing with a ASA5585X and noticed that when I feed it a stream of SYN packets on the outside interface the measured traffic rate on the inside interface going out is about 10x the rate of the outside interface going in.

laptop ---  ASA --- PC

I send 6k TCP SYN pkts at interface rate from the laptop targeted at PC. No packets are dropped by ACLs or policies and can be sniffed at the PC.

Show interface commands show:

sh int inside:

... ...

  Traffic Statistics for "inside":

...

      1 minute input rate 23 pkts/sec,  1303 bytes/sec

      1 minute output rate 4454 pkts/sec, 820757 bytes/sec

sh int outside:

... ...

Traffic Statistics for "outside":

...

      1 minute input rate 885 pkts/sec70847 bytes/sec

      1 minute output rate 7 pkts/sec,  425 bytes/sec

I would expect that if 885 pkts/sec enter the firewall on the outside interface the same amount or less would exit it on the inside...?

Any clues as to why this is not the case? The paket rate is about 5x and the data rate is about 10x greater.

Cheers,

Nik

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to nikolamitev

‎10-30-2012 09:32 AM

Hello Nikolamitev,

Exactly Glad that we could resolved the issue.

Remember to rate all of the helpful posts ( If you do not know how to do it just let me know, I will let you know how)

Also if you do not have any other question please mark it as answered

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-28-2012 10:29 AM

Hello Nikolamitev,

See what you mean and I do understand your question but lets start with the basic.

capture capout interface outside match ip host outside_host_pc host inside_global_pc

capture capin interface inside match ip host outside_host host inside_global_pc

After you generate a connection ( just one) do a show cap  ( you should see same amount of traffic on both captures) if that is the case then it is something not related to our connection and we will need to work on a different capture.

Let me know if this was the case ( same amount of bytes on each capture)

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
nikolamitev
Level 1
Level 1
In response to Julio Carvajal

‎10-29-2012 03:25 AM

Thanks for your reply Julio.

I did run a test similar to what you ask for before and I didn't find any differences. I ran it again exactly as you specified just in case and packets are identical - 1:1

I also tried making a single but more intensive connection, like in a large file transfer and that increases counters on both interfaces as expected.

It seems to me that it has to do with tcp intercept or a similar feature of the firewall. i believe I read somwhere recently that the firewall is doing some checks on the validity of the destinaton for new connections and I am inclined to ascribe the extra traffic to those checks. I am failing to find that passage though so I might well be wrong or have misunderstood something.

All my attempts to see the extra traffic in captures or tcpdump have been unsuccessful so far.

0 Helpful

Go to solution
nikolamitev
Level 1
Level 1
In response to nikolamitev

‎10-29-2012 03:41 AM

It might be worth adding that somewhat counterintuitively I am having to do those tests on a live VLAN and the setum is actually PC -- vlanX -- inside FW outside -- laptop (directly plugged into FW)

On vlanX there are a number of hosts and some loadbalancing and multicast traffic is creating a constant noise.

The below is the normal situation outside of any purposefully generated traffic.

  Traffic Statistics for "outside":

...

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 6 pkts/sec,  388 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 7 pkts/sec,  430 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Traffic Statistics for "inside":

...

      1 minute input rate 25 pkts/sec,  1258 bytes/sec

      1 minute output rate 26 pkts/sec,  2916 bytes/sec

      1 minute drop rate, 1 pkts/sec

      5 minute input rate 25 pkts/sec,  1284 bytes/sec

      5 minute output rate 26 pkts/sec,  2935 bytes/sec

      5 minute drop rate, 1 pkts/sec

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to nikolamitev

‎10-29-2012 09:22 AM

Hello Nikolamitev,

Do the following capture

clear interface

capture capin interface inside circular-buffer

capture capout interface outside circular-buffer.

Then check for different traffic, let me know if you see something different, try to download them on wireshark

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
nikolamitev
Level 1
Level 1
In response to Julio Carvajal

‎10-30-2012 07:58 AM

Thanks for your input Julio,

I seems it jogged my brains a bit and I think I figured out what the issue is. The firewall is configured to log to two syslog servers on the inside interface - turning off the syslogging brought the traffic graphs for the two interfaces in sync again.

Looks like the locally generated syslog traffic is filtered out of captures, as I did not see it in there.

Again, thanks for your time.

Nik

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to nikolamitev

‎10-30-2012 09:32 AM

Hello Nikolamitev,

Exactly Glad that we could resolved the issue.

Remember to rate all of the helpful posts ( If you do not know how to do it just let me know, I will let you know how)

Also if you do not have any other question please mark it as answered

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card