Dropped TX and RX packets reported in Aria Logs for Networks (vRNI) whenever IDPS is enabled
search cancel

Dropped TX and RX packets reported in Aria Logs for Networks (vRNI) whenever IDPS is enabled

book

Article ID: 425356

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware NSX

Issue/Introduction

IDPS is enabled on NSX and Aria Logs for Networks is reporting the following uptick in dropped packets:

As soon as you disable IDPS rules, the drops cease.

Environment

NSX 4.2.2 or later
vDefend Firewall
IDPS with Turbo Mode (SCX)
Aria Logs for Networks (6.x)

Cause

The issue is due to a miscalculation of cumulative dropped packets which incorrectly includes SCX pktsInjected in the pktsDropped total.   This miscalculation results in a higher-than-accurate packet loss count.

The incorrect calculation is:   pktsDropped = pktsStarted + pktsInjected - pktsPassed - pktsFiltered - pktErrors - pktsFaulted

To confirm the issue, issue the following command on both inputStats and outputStats.
 
vsish -e get /net/portsets/<portset>/ports/<port#>/inputStats
vsish -e get /net/portsets/<portset>/ports/<port#>/outputStats

The 'portset' and 'port#' variables can be retrieved by issuing the 'net-stats -l' on the ESXi host. 

Example shown for inputStats:

io chain stats {
.....
   pktsStarted:14472
   pktsPassed:7209877
   pktsDropped:417554
   pktsCloned:0
   pktsFiltered:0
   pktsFaulted:0
   pktsQueued:0
   pktErrors:0
   pktsInjected:7612959
functions:
<snip>
 SCX_RP_OUTPUT_POST.######### <scx-post-s2gvm:0x#########>
    pktsStarted:7209877
    pktsPassed:7209877
    pktsDropped:0
    pktsFiltered:0
    pktsQueued:0
    pktsFaulted:0
    pktsInjected:417554
    pktErrors:0
    pktsBypassed:0

Resolution

This issue is purely cosmetic in nature.  pktsInjected will be excluded from the cumulative calculation.

The correct calculation is:    pktsDropped = pktsStarted - pktsPassed - pktsFiltered - pktErrors - pktsFaulted

io chain stats {
...
   pktsStarted:10
   pktsPassed:99
   pktsDropped:0
   pktsCloned:0
   pktsFiltered:1
   pktsFaulted:0
   pktsQueued:0
   pktErrors:0
   pktsInjected:174
   functions:
<snip>
        SCX_RP_INPUT_POST.######### <scx-post-gvm2s:0x#########>
                pktsStarted:100
                pktsPassed:100
                pktsDropped:0
                pktsFiltered:0
                pktsQueued:0
                pktsFaulted:0
                pktsInjected:84  <<<<<<<<< excluded
                pktErrors:0

This issue will be addressed in a future release.

Additional Information

Issue is similar to:
https://knowledge.broadcom.com/external/article?articleNumber=378543

Powered by Wolken Software