Dropped TX and RX packets reported in Aria Logs for Networks (vRNI) whenever Turbo Mode (SCRX) IDPS is enabled
search cancel

Dropped TX and RX packets reported in Aria Logs for Networks (vRNI) whenever Turbo Mode (SCRX) IDPS is enabled

book

Article ID: 425356

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware NSX

Issue/Introduction

Turbo Mode (SCRX) IDPS is enabled on NSX and Aria Logs for Networks is reporting the following uptick in dropped packets:

As soon as you disable IDPS rules, the drops cease.

Environment

NSX 4.2.2 or later
vDefend Firewall
IDPS with Turbo Mode (SCX)
Aria Logs for Networks (6.x)

Cause

The issue is due to a miscalculation of cumulative dropped packets.  This miscalculation results in a higher-than-accurate packet loss count.

The incorrect calculation in case of SCX is =  pktsDropped = pktsStarted + pktsInjected - pktsPassed - pktsFiltered - pktErrors - pktsFaulted
Note: The above calculation is correct for non-SCRX cases

The correct calculation is:   pktsDropped = pktsStarted + pktsInjected - pktsPassed - pktsFiltered - pktErrors - pktsFaulted - (pktsInjected under SCX_RP_OUTPUT_POST)

To confirm the issue, issue the following command on both inputStats and outputStats.
 
vsish -e get /net/portsets/<portset>/ports/<port#>/inputStats
vsish -e get /net/portsets/<portset>/ports/<port#>/outputStats

The 'portset' and 'port#' variables can be retrieved by issuing the 'net-stats -l' on the ESXi host. 

Example shown for inputStats:

io chain stats {
.....
   pktsStarted:14472
   pktsPassed:7209877
   pktsDropped:417554
   pktsCloned:0
   pktsFiltered:0
   pktsFaulted:0
   pktsQueued:0
   pktErrors:0
   pktsInjected:7612959
functions:
<snip>
 SCX_RP_OUTPUT_POST.######### <scx-post-s2gvm:0x#########>
    pktsStarted:7209877
    pktsPassed:7209877
    pktsDropped:0
    pktsFiltered:0
    pktsQueued:0
    pktsFaulted:0
    pktsInjected:417554
    pktErrors:0
    pktsBypassed:0

Resolution

This issue is purely cosmetic in nature.  pktsInjected under SCX_RP_INPUT_POST will be excluded from the cumulative calculation in a later release. The output shown below is copied from a version with the correct calculation:

The correct calculation is:   pktsDropped = pktsStarted + pktsInjected - pktsPassed - pktsFiltered - pktErrors - pktsFaulted - (pktsInjected under SCX_RP_OUTPUT_POST)

io chain stats {
...
   pktsStarted:10
   pktsPassed:99
   pktsDropped:0
   pktsCloned:0
   pktsFiltered:1
   pktsFaulted:0
   pktsQueued:0
   pktErrors:0
   pktsInjected:174
   functions:
<snip>
        SCX_RP_INPUT_POST.######### <scx-post-gvm2s:0x#########>
                pktsStarted:100
                pktsPassed:100
                pktsDropped:0
                pktsFiltered:0
                pktsQueued:0
                pktsFaulted:0
                pktsInjected:84  <<<<<<<<< excluded
                pktErrors:0

This issue will be addressed in a future release.

Additional Information

Issue is similar to the following KB for classic IDPS:
https://knowledge.broadcom.com/external/article?articleNumber=378543

Powered by Wolken Software