Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA makes huge packets?

Hello, colleagues!

There's a bad thing happened.

I've got tcpdump of the same traffic simultaneously in two places:

Dump 1. capture on the ASA on the outside interface

Dump 2. tcpdump from span-session on the switch, connected to the outside asa

I interested in smtp server traffic, that  is behind ASA mail interface.

Both dumps were opened in wireshark. I found in both dumps the same tcp-session sending the usual large e-mail message.

And I see the following picture, which I did not fit in my head:

In the first dump (ASA capture):

The server sent data packets in size of 1420 bytes (tcp segment is 1368 bytes), then received a packeta with an ACK to the data.

and so is repeated several times.

But in the second dump (tcpdump / SPAN):

I found 15 packets pack instead of 16 packets in the first dump! One packet (in dump 2) had a size of 2788 bytes (tcp segment is 2736 bytes, which is 2 times greater than 1368)!!!!!

While sequence numbers of these packages are the same!

IP header checksum, tcp checksum - different, but wireshark shows that they are correct!

That's it:

Someone had collected from two packs - one, and made it intellectually, counting the checksum.

A packet size greater than MTU of ASA intrface, and MTU of switch (MTU 1500).

Who made this and why is it so large?

Everyone's tags (5)
CreatePlease login to create content