Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 22466 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Switch reports excessive undersized/giant packets

jamesharper

Users are reporting intermittent "page not available" type errors on browsers, and I noticed in the switch logs the message "Excessive undersized/giant packets". The two may be unrelated, but the switch message definitely isn't normal.

The switch is a HP Procurve / Aruba 2530 series gigabit switch, and the Sophos XG is configured using an LACP trunk. The switch reports that LACP is active and working on the connected ports.

I have tried several versions of firmware on the switch, including the very latest one, and the messages still persist. Sophos is running XG

The MTU has not been changed from the default 1500 on any device.

The stats on the switch port affected (one of the LACP trunk ports) are:

  Errors (Since boot or last clear) :
   FCS Rx          : 0                    Drops Tx        : 2
   Alignment Rx    : 0                    Collisions Tx   : 0
   Runts Rx        : 0                    Late Colln Tx   : 0
   Giants Rx       : 25                   Excessive Colln : 0
   Total Rx Errors : 25                   Deferred Tx     : 0

Which says to me that either the Sophos XG is occasionally sending frames that are too large, or the switch is bad in some way. Because this has occurred on all 4 ports connected  to Sophos UTM's (2 ports x 2 XG in HA), I think I can exclude it being a single port or cable fault.

The switch and the Sophos both agree that the ports are all in 1Gb Full Duplex mode.

What else can I check?

thanks

James



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to jamesharper

    Hi Jamesharper

    Could you take a PCAP of the website while exploring this issue, otherwise you may contact Sophos Support and our engineers shall troubleshoot this issue. You may DM me the case# along with the link to this thread as a reference so we may monitor this issue for you.

Children
  • 0 in reply to Aditya Patel

    I think I have identified the source of the large packets...

    Guest is a WIFI network that is "Separate Zone". I think the packet flow goes like this:

    The packet is sent out the Guest network. Looking at the size, this packet is using LSO/TSO and will be broken up by the hardware at some point (or software if the hardware lacks the LSO/TSO ability)

    12:31:10.382489 Guest, OUT: IP (tos 0x0, ttl 64, id 63783, offset 0, flags [DF], proto TCP (6), length 2960)
        10.10.80.254.4501 > 10.10.80.61.49814: Flags [.], ack 307943294, win 237, length 2920

    Next the packet appears on vxlan5.80. I assume vxlan5 is the "Separate Network" tunnel but I don't understand why it would appear on vlan 80. Originally the Guest network was bridged to Lag.80, but XG has a bug that doesn't let you use a hotspot on a VLAN interface so I had to change it to "Separate Zone".
    12:31:10.382494 vxlan5.80, OUT: IP (tos 0x0, ttl 64, id 63783, offset 0, flags [DF], proto TCP (6), length 2960)
        10.10.80.254.4501 > 10.10.80.61.49814: Flags [.], ack 1, win 237, length 2920

    Then the packet appears on vxlan5, now 2980 bytes (presumably because of the additional VLAN info?)
    12:31:10.382495 vxlan5, OUT: Out f2:4d:41:99:e2:b9 ethertype Unknown (0x0050), length 2980:
            0x0000:  0000 0800 4500 0b90 f927 4000 4006 80f1  ....E....'@.@...
            0x0010:  0a0a 50fe 0a0a 503d 1195 c296 3b73 7f4e  ..P...P=....;s.N
            0x0020:  125a d77e 5010 00ed c0d1 0000 4854 5450  .Z.~P.......HTTP
            0x0030:  2f31 2e31 2032 3030 204f 4b0d 0a44 6174  /1.1.200.OK..Dat
            0x0040:  653a 2053 756e 2c20 3231 204d 6179 2032  e:.Sun,.21.May.2

    Now the packet finally appears on the LACP trunk (Lag) and then PortE0 which is one of the components of the trunk. Presumably the LSO/TSO has now been done, the packet is split into MTU sized chunks and sent on its way. XG got the numbers wrong though - 1554 bytes is well in excess of what a switch will normally think is acceptable on a network with 1500 byte packets. I think the HP switches we use get grumpy if the packet size is over 1522 bytes.
    12:31:10.382504 Lag, OUT: IP (tos 0x0, ttl 64, id 60244, offset 0, flags [none], proto UDP (17), length 1554)
        10.10.1.254.59993 > 10.10.1.4.8472: UDP, length 1526
    12:31:10.382505 PortE0, OUT: IP (tos 0x0, ttl 64, id 60244, offset 0, flags [none], proto UDP (17), length 1554)
        10.10.1.254.59993 > 10.10.1.4.8472: UDP, length 1526
    12:31:10.382506 Lag, OUT: IP (tos 0x0, ttl 64, id 60245, offset 0, flags [none], proto UDP (17), length 1554)
        10.10.1.254.59993 > 10.10.1.4.8472: UDP, length 1526
    12:31:10.382507 PortE0, OUT: IP (tos 0x0, ttl 64, id 60245, offset 0, flags [none], proto UDP (17), length 1554)
        10.10.1.254.59993 > 10.10.1.4.8472: UDP, length 1526

    So... having identified the cause of the problem, it is completely unrelated to the original issue I was seeing where users occasionally get "page cannot be displayed" errors - these errors are seen on networks other than the Guest network and I'm not using Separate Zone anywhere else.

    James

  • 0 in reply to jamesharper

    I guess the "can't have hotspot on VLAN" bug got fixed recently because I just noticed I can configure such a thing now.