Hello, colleagues! There's a bad thing happened. I've got tcpdump of the same traffic simultaneously in two places: Dump 1. capture on the ASA on the outside interface Dump 2. tcpdump from span-session on the switch, connected to the outside asa I interested in smtp server traffic, that is behind ASA mail interface. Both dumps were opened in wireshark. I found in both dumps the same tcp-session sending the usual large e-mail message. And I see the following picture, which I did not fit in my head: In the first dump (ASA capture): The server sent data packets in size of 1420 bytes (tcp segment is 1368 bytes), then received a packeta with an ACK to the data. and so is repeated several times. But in the second dump (tcpdump / SPAN): I found 15 packets pack instead of 16 packets in the first dump! One packet (in dump 2) had a size of 2788 bytes (tcp segment is 2736 bytes, which is 2 times greater than 1368)!!!!! While sequence numbers of these packages are the same! IP header checksum, tcp checksum - different, but wireshark shows that they are correct! That's it: Someone had collected from two packs - one, and made it intellectually, counting the checksum. A packet size greater than MTU of ASA intrface, and MTU of switch (MTU 1500). Who made this and why is it so large?
... View more