When looking at ProxySG's TCP interface statistics, what does "Dropped on output" mean?


Article ID: 167408


Updated On:


Advanced Secure Gateway Software - ASG CacheFlow Appliance Software ProxySG Software - SGOS


When looking at ProxySG's TCP interface statistics from https://x.x.x.x:8082/TCP/Interface, what does "Dropped on output" mean?


The TCP Dropped On Output counter is incremented if the proxy is unable to output a packet because the outgoing queue on the interface was too full. In particular, there is a queue in the network interface data structure where the driver gets packets from the system and adds them to the hardware transmit rings. The proxy appears to be dropping packets because this queue is full (i.e. we cannot dequeue packets fast enough to put them on the hardware to be sent out). This suggests that either it is taking a long time for the hardware to be able to successfully transmit the packets that were queued, or the proxy is accumulating packets much more quickly than it can send them, for example, packets are arriving on an interface with a higher bandwidth (eg. ingress 1Gbps) than the outgoing interface (eg. egress 100Mbps).

In either case, switches would not see errors due to the dropped packets because the proxy fail to buffer them for output, so they never make it anywhere near the wire.

A saturated link could show this kind of behaviour as the network card has to wait to send traffic. If the network cable is noisy, we might see this too, although the link should auto-negotiate to something lower unless it was forced to a certain speed and duplex.