For details on cookie usage on our site, read our Privacy Policy
vwire unequal packet/bytes count
- LIVEcommunity
- Discussions
- General Topics
- vwire unequal packet/bytes count
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
vwire unequal packet/bytes count
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-16-2014 05:04 AM
Hello!
So, we have a very simple lab topology with virtual-wire and a single "allow all" policy.
I think it is important to note that on the egress interface is a single host that should not be generating any traffic (or minimum traffic). The ingress port is connected to a span port on a switch. I am aware that it is a strange setup 
, but that's how it is
We have noticed strange counter values for the interfaces in the virtual-wire:
(partial "show interface" output)
ingress interface, ethernet1/13
Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 423819043242
bytes transmitted 64288
packets received 434867911
packets transmitted 434
receive errors 0
packets dropped 14021012
packets dropped by flow state check 349811
egress interface, ethernet1/4
Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 63096
bytes transmitted 312976866931
packets received 427
packets transmitted 342360077
receive errors 0
packets dropped 0
There is a huuuuuuge difference between the number of tx and rx packets on each interface, and I think they should be more or less equal, considering the configuration/topology.
It is a 3020 box running 5.0.8
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-16-2014 10:50 AM
Hi...You mentioned that the ingress is connected to a span port. Do you know what traffic you are mirroring to the span port? If the mirrored traffic contains vlan tagged packets, those may not be transmitted across the vwire unless you enable tagging on the vwire setting. Also, non-tcp-syn traffic will not be transmitted by default since vwire is performing stateful inspection.
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-17-2014 01:13 AM
i am not sure about the configuration on the switch side, as i was not involved int the POC from the beginning, but i can presume that it is a trunk port... all vlans should go through, the vwire has all 0-4094 tags enabled to pass through. also, the reject non-syn packets option is turned off, so i am certain that (almost) everything should be transmitted.
here is the full output from the interfaces
admin@PA-3020> show interface ethernet1/4 (egress interface)
Name: ethernet1/4, ID: 19
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:1b:17:c0:be:13
Operation mode: virtual-wire
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/4, ID: 19
Operation mode: virtual-wire
Interface management profile: N/A
Service configured:
Zone: span, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Physical port counters read from MAC:
--------------------------------------------------------------------------------
rx-broadcast 30
rx-bytes 114543
rx-multicast 717
rx-unicast 0
tx-broadcast 212639
tx-bytes 355186826330
tx-multicast 1423373
tx-unicast 412349668
--------------------------------------------------------------------------------
Hardware interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 63096
bytes transmitted 312976866785
packets received 427
packets transmitted 342360076
receive errors 0
packets dropped 0
--------------------------------------------------------------------------------
Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 63096
bytes transmitted 312976866931
packets received 427
packets transmitted 342360077
receive errors 0
packets dropped 0
packets dropped by flow state check 0
forwarding errors 0
no route 0
arp not found 0
neighbor not found 0
neighbor info pending 0
mac not found 0
packets routed to different zone 0
land attacks 0
ping-of-death attacks 0
teardrop attacks 0
ip spoof attacks 0
mac spoof attacks 0
ICMP fragment 0
layer2 encapsulated packets 0
layer2 decapsulated packets 0
--------------------------------------------------------------------------------
admin@PA-3020> show interface ethernet1/13 (ingress interface)
--------------------------------------------------------------------------------
Name: ethernet1/13, ID: 28
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:1b:17:c0:be:1c
Operation mode: virtual-wire
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/13, ID: 28
Operation mode: virtual-wire
Interface management profile: N/A
Service configured:
Zone: Srce, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Physical port counters read from MAC:
--------------------------------------------------------------------------------
rx-broadcast 214342
rx-bytes 658550534846
rx-multicast 1446046
rx-unicast 697011884
tx-broadcast 31
tx-bytes 115594
tx-multicast 722
tx-unicast 0
--------------------------------------------------------------------------------
Hardware interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 423820609551
bytes transmitted 64288
packets received 434884177
packets transmitted 434
receive errors 16266
packets dropped 0
--------------------------------------------------------------------------------
Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 423819043242
bytes transmitted 64288
packets received 434867911
packets transmitted 434
receive errors 0
packets dropped 14021012
packets dropped by flow state check 349811
forwarding errors 0
no route 0
arp not found 0
neighbor not found 0
neighbor info pending 0
mac not found 0
packets routed to different zone 0
land attacks 0
ping-of-death attacks 0
teardrop attacks 0
ip spoof attacks 0
mac spoof attacks 0
ICMP fragment 0
layer2 encapsulated packets 0
layer2 decapsulated packets 0
--------------------------------------------------------------------------------
- What is /opt/traps/analyzerd/clad? in Cortex XDR Discussions
- XQL query between 2 dates in Cortex XDR Discussions
- Captive portal 403 forbidden in General Topics
- Panorama sessions in ACC view show much higher session counts than the session count on the firewall in Panorama Discussions
- How to set an alert for.... in AIOps for NGFW Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
