- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-13-2012 03:38 PM
Hello,
We see a lot of 'insufficient-data' traffic on our firewall and we couldn't find any reason so far. Does anyone have a good idea on how we can troubleshoot the issue?
If we click on the insufficient-data bar we get redirected to the ACC but it doesn't show much there...
Thanks,
Oliver
07-13-2012 05:50 PM
Insufficient data in the application field usually means that there was not enough data to identify the application. For example, if the 3-way TCP handshake was completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log.
You can try to filter the traffic logs based on the application filter set to 'Insufficient data' and see what traffic it is.
You can refer to this doc:
Incomplete, Insufficient data and Not-applicable in the application field
07-14-2012 06:23 AM
Thank you. We tried that already. When we filter for 'insufficient-data' for the time frame above (18:30 - 00:30) we get a result set of only 41 rows. Each row reports only ~900 bytes up to 1.5 KB of data. If we sum that up, we get a maximum of 60 KB of insufficient data for these 6 hours.
If you look at the amount of insufficient-data in the first picture, you see that there are more than 2 GB of insufficient data in the mentioned time frame...
07-19-2012 01:26 PM
As much as I hate to say it, the "insufficient data" is showing up because part of the traffic is being dropped, and thus it is unable to determine what app is really being used.
Sometimes creating an "open" rule to allow the traffic, monitoring for that traffic, properly identifying the traffic, and then allow the traffic being specific helps.
This is because we do not look at the TCP handshake to determine what app is being used.. so that might work, but not the true "data", thus it shows up as Insuffient data.
07-23-2012 05:16 AM
Hmm, so that means we'd have to set our last rule (Deny and log everything else) to "allow"? Sounds not like a charming solution, hehe :smileygrin:
07-24-2012 05:30 AM
It is only recommended to do that for a short period of time. Sort of a Discovery of the network. Then you can narrow down the rule to just what you want/need.
07-24-2012 11:35 AM
Okay, we'll try that the next weekend. I'll post the result here next week.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!