High VPN traffic
Posted: Tue Apr 12, 2016 1:38 pm
Dear all,
I'm having an issue where there is constant traffic on the VPN port. I would imagine that once the VPN tunnel is created, I should not have that much traffic on the VPN port itself but rather in the tunnel. I have stopped all traffic in the VPN tunnel, but there is still around 9MB of data flowing between the server the client per hour. Is that normal?
Here is a capture of a few packets:
15:05:47.590514 IP (tos 0x0, ttl 110, id 12326, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x72cf (correct), seq 71, ack 14794, win 259, length 0
15:05:47.606327 IP (tos 0x0, ttl 64, id 20441, offset 0, flags [DF], proto TCP (6), length 295)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x80a7 (incorrect -> 0x6ca8), seq 15462:15717, ack 71, win 632, length 255
15:05:47.649344 IP (tos 0x0, ttl 110, id 12327, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x6f37 (correct), seq 71, ack 15717, win 256, length 0
15:05:47.666261 IP (tos 0x0, ttl 64, id 20442, offset 0, flags [DF], proto TCP (6), length 271)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x808f (incorrect -> 0x158d), seq 15717:15948, ack 71, win 632, length 231
15:05:47.706721 IP (tos 0x0, ttl 64, id 20443, offset 0, flags [DF], proto TCP (6), length 386)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x8102 (incorrect -> 0x11b5), seq 15948:16294, ack 71, win 632, length 346
15:05:47.746185 IP (tos 0x0, ttl 110, id 12328, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x6e51 (correct), seq 71, ack 15948, win 255, length 0
15:05:47.746404 IP (tos 0x0, ttl 64, id 20444, offset 0, flags [DF], proto TCP (6), length 386)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x8102 (incorrect -> 0x1e51), seq 16294:16640, ack 71, win 632, length 346
15:05:47.770974 IP (tos 0x0, ttl 64, id 20445, offset 0, flags [DF], proto TCP (6), length 111)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x7fef (incorrect -> 0xa279), seq 16640:16711, ack 71, win 632, length 71
15:05:47.790556 IP (tos 0x0, ttl 110, id 12329, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x6b99 (correct), seq 71, ack 16640, win 259, length 0
15:05:47.842398 IP (tos 0x0, ttl 64, id 20446, offset 0, flags [DF], proto TCP (6), length 386)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x8102 (incorrect -> 0x5e87), seq 16711:17057, ack 71, win 632, length 346
15:05:47.842460 IP (tos 0x0, ttl 64, id 13259, offset 0, flags [DF], proto UDP (17), length 116)
<server-ip>.40196 > <client-ip>.64079: [bad udp cksum 0x7fff -> 0xd808!] UDP, length 88
15:05:47.857062 IP (tos 0x0, ttl 110, id 12330, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x6b52 (correct), seq 71, ack 16711, win 259, length 0
15:05:47.861925 IP (tos 0x0, ttl 64, id 20447, offset 0, flags [DF], proto TCP (6), length 317)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x80bd (incorrect -> 0x583e), seq 17057:17334, ack 71, win 632, length 277
I'm wondering why I have the "incorrect" messages here. Can that be the cause of the high traffic I'm getting?
Kind regards,
Stephane
I'm having an issue where there is constant traffic on the VPN port. I would imagine that once the VPN tunnel is created, I should not have that much traffic on the VPN port itself but rather in the tunnel. I have stopped all traffic in the VPN tunnel, but there is still around 9MB of data flowing between the server the client per hour. Is that normal?
Here is a capture of a few packets:
15:05:47.590514 IP (tos 0x0, ttl 110, id 12326, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x72cf (correct), seq 71, ack 14794, win 259, length 0
15:05:47.606327 IP (tos 0x0, ttl 64, id 20441, offset 0, flags [DF], proto TCP (6), length 295)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x80a7 (incorrect -> 0x6ca8), seq 15462:15717, ack 71, win 632, length 255
15:05:47.649344 IP (tos 0x0, ttl 110, id 12327, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x6f37 (correct), seq 71, ack 15717, win 256, length 0
15:05:47.666261 IP (tos 0x0, ttl 64, id 20442, offset 0, flags [DF], proto TCP (6), length 271)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x808f (incorrect -> 0x158d), seq 15717:15948, ack 71, win 632, length 231
15:05:47.706721 IP (tos 0x0, ttl 64, id 20443, offset 0, flags [DF], proto TCP (6), length 386)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x8102 (incorrect -> 0x11b5), seq 15948:16294, ack 71, win 632, length 346
15:05:47.746185 IP (tos 0x0, ttl 110, id 12328, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x6e51 (correct), seq 71, ack 15948, win 255, length 0
15:05:47.746404 IP (tos 0x0, ttl 64, id 20444, offset 0, flags [DF], proto TCP (6), length 386)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x8102 (incorrect -> 0x1e51), seq 16294:16640, ack 71, win 632, length 346
15:05:47.770974 IP (tos 0x0, ttl 64, id 20445, offset 0, flags [DF], proto TCP (6), length 111)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x7fef (incorrect -> 0xa279), seq 16640:16711, ack 71, win 632, length 71
15:05:47.790556 IP (tos 0x0, ttl 110, id 12329, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x6b99 (correct), seq 71, ack 16640, win 259, length 0
15:05:47.842398 IP (tos 0x0, ttl 64, id 20446, offset 0, flags [DF], proto TCP (6), length 386)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x8102 (incorrect -> 0x5e87), seq 16711:17057, ack 71, win 632, length 346
15:05:47.842460 IP (tos 0x0, ttl 64, id 13259, offset 0, flags [DF], proto UDP (17), length 116)
<server-ip>.40196 > <client-ip>.64079: [bad udp cksum 0x7fff -> 0xd808!] UDP, length 88
15:05:47.857062 IP (tos 0x0, ttl 110, id 12330, offset 0, flags [DF], proto TCP (6), length 40)
<client-ip>.58502 > <server-ip>.https: Flags [.], cksum 0x6b52 (correct), seq 71, ack 16711, win 259, length 0
15:05:47.861925 IP (tos 0x0, ttl 64, id 20447, offset 0, flags [DF], proto TCP (6), length 317)
<server-ip>.https > <client-ip>.58502: Flags [P.], cksum 0x80bd (incorrect -> 0x583e), seq 17057:17334, ack 71, win 632, length 277
I'm wondering why I have the "incorrect" messages here. Can that be the cause of the high traffic I'm getting?
Kind regards,
Stephane