Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

a small question about understanding network statistics (CLI)

on a sophos firewall (e.g. xgs136) I can view the interface statistics via the CLI. (command: show network interfaces)

At the output I notice that there are many dropped packets at RX state (receive).(LAN Interface)

Port1            Zonetype:LAN  MAC Address:XX:XX:XX:XX:XX  MTU:1500
                 IPv6 Addr(s): XXXXX::XXXXX:XXXXXX:XXXXX:1/64 (link-local)
                 Speed:1000Mb/s Full Duplex  Auto Negotiation:yes
                 UP BROADCAST RUNNING SLAVE MULTICAST
                 RX State: packets:2682687049 bytes:531478369640 (494.9 GiB)
                           errors:0 dropped:62795887 overruns:0 frame:0
                 TX State: packets:3826280005 bytes:3010216377751 (2.7 TiB)
                           errors:0 dropped:0 overruns:0 carrier:0

Does this statistic include the dropped packets that were blocked due to the firewall rules?

What period does this statistic cover and can I reset it via cli without impact?

many thanks for a hint

Rgd,

Tom



Added TAGs
[edited by: Raphael Alganes at 11:15 AM (GMT -8) on 25 Nov 2024]
  • Hello Thomas, 

    Thanks for reaching out to Sophos Community.

    I believe RX dropped packets here are interface-level statistics and should be before it hits a firewall rule/policy

    Further, could you let us know if there are any disruptions/slowdowns you're noticing on the network? what are the devices connected to your Sophos Firewall?  Are there any changes/new device on the network before you noticed this?

    Also, could you look into this past thread in which could be a similar case, and see if it would help:

     RX State: packets Drop and error 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello Raphael,

    first of all, thank you very much for your reply.

    a little more information as background:
    we have 9 branches, each with 1 HA cluster. (2 nodes) Different Firewalls (XGS116+126+136+2300+4300)
    Each cluster has 1 LAN interface and 2 WAN interfaces.
    If I look at the statistics for all interfaces, ‘all’ have many dropped packets. On the LAN and WAN side.
    We use Cisco switches on the LAN side and Sophos switches on the WAN side. The cables are all new and shielded (CAT6A)
    I don't see any errors on the Cisco switches on the corresponding interfaces. Neither drops nor errors. Unfortunately I cannot check the Sophos switches as they are not managed.
    In fact, we have complaints at one location that the performance fluctuates from time to time. That's why I wanted to take a look at the statistics. But these are also resource-hungry CAD programs that run via Citrix virtualisation.
    Otherwise, we have no complaints at all about performance problems at any of our 9 locations.

    Since we have the dropped packets at each location, LAN and WAN side and also with different switches and new cables, I can't imagine having a layer 1 or 2 problem here.

  • Basically this is a ifconfig linux basic. All the descriptions of this apply from ifconfig. 

    This is not SFOS related. Instead the Kernel dropped them on a interface level. 
    It is pretty hard to find out, what is the reason behind this: https://unix.stackexchange.com/questions/205141/what-exactly-is-an-ifconfig-dropped-rx-packet

    By the way: it seems to be much, but it is only 2.7% of your traffic is dropped. This could be an device in front of the firewall, which floods the firewall with broken packets. 

    __________________________________________________________________________________________________________________