TX drop counters explained:
The "TX-DRP" counter is normally increasing when the VND driver recognizes that the APM is operating as a non-master VAP in a VAP group (the master/non-master status can be verified by running "show ap-vap-mapping
") and the APM is trying to respond to a broadcast (typically a response to an ARP request). Even though broadcasts are received and processed by all VAP group members (NPM takes care of the packet replication) only the master VAP is allowed to answer the broadcast. These packets are therefore dropped for a valid reason by the VND driver on non-master VAPs.RX drop counters explained:
Possible legitimate reasons for a packet to be dropped by the VND driver on the receiving (RX) side:
1) When running Check Point VSX, non-management circuits have IP addresses defined under VRRP only and auto-configured with backup-stay-up
option. All packets arriving to such circuit will be dropped and counted as "downRx" (in "cat /proc/cbs_vnd/stats
"). There is one exception: in a case where the interface is part of MLT group-inteface, LACP frames are allowed to pass the circuit.
2) RX drop count can be especially high on a circuit configured for Check Point synchronization - see the section References for more information about this topic.