Showing results for 
Search instead for 
Did you mean: 


ASA makes huge packets?

Hello, colleagues!

There's a bad thing happened.

I've got tcpdump of the same traffic simultaneously in two places:

Dump 1. capture on the ASA on the outside interface

Dump 2. tcpdump from span-session on the switch, connected to the outside asa

I interested in smtp server traffic, that  is behind ASA mail interface.

Both dumps were opened in wireshark. I found in both dumps the same tcp-session sending the usual large e-mail message.

And I see the following picture, which I did not fit in my head:

In the first dump (ASA capture):

The server sent data packets in size of 1420 bytes (tcp segment is 1368 bytes), then received a packeta with an ACK to the data.

and so is repeated several times.

But in the second dump (tcpdump / SPAN):

I found 15 packets pack instead of 16 packets in the first dump! One packet (in dump 2) had a size of 2788 bytes (tcp segment is 2736 bytes, which is 2 times greater than 1368)!!!!!

While sequence numbers of these packages are the same!

IP header checksum, tcp checksum - different, but wireshark shows that they are correct!

That's it:

Someone had collected from two packs - one, and made it intellectually, counting the checksum.

A packet size greater than MTU of ASA intrface, and MTU of switch (MTU 1500).

Who made this and why is it so large?

Everyone's tags (5)
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards