cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
310
Views
0
Helpful
0
Replies
Highlighted
Beginner

ASA makes huge packets?

Hello, colleagues!

There's a bad thing happened.

I've got tcpdump of the same traffic simultaneously in two places:

Dump 1. capture on the ASA on the outside interface

Dump 2. tcpdump from span-session on the switch, connected to the outside asa

I interested in smtp server traffic, that  is behind ASA mail interface.

Both dumps were opened in wireshark. I found in both dumps the same tcp-session sending the usual large e-mail message.

And I see the following picture, which I did not fit in my head:

In the first dump (ASA capture):

The server sent data packets in size of 1420 bytes (tcp segment is 1368 bytes), then received a packeta with an ACK to the data.

and so is repeated several times.

But in the second dump (tcpdump / SPAN):

I found 15 packets pack instead of 16 packets in the first dump! One packet (in dump 2) had a size of 2788 bytes (tcp segment is 2736 bytes, which is 2 times greater than 1368)!!!!!

While sequence numbers of these packages are the same!

IP header checksum, tcp checksum - different, but wireshark shows that they are correct!

That's it:

Someone had collected from two packs - one, and made it intellectually, counting the checksum.

A packet size greater than MTU of ASA intrface, and MTU of switch (MTU 1500).

Who made this and why is it so large?

0 REPLIES 0
Content for Community-Ad