none
Gateway is receiving more network traffic than it can process. A portion of the network traffic is not analyzed. RRS feed

  • Question

  • I keep getting this alert despite the amount of resources that I add to my Gateway.  

    Our DC and Gateway are running virtually in VMware.  Distributed Virtual Switches are not an option so I have to resort to configuring Promiscuous Port Group.  

    I configured a Promiscuous Port Group on the same Virtual Switch that the DC (and the rest of our servers) is connected , and assigned it the same VLAN ID as the DC. 

    ATA is capturing and reporting traffic but I continually receive an alert for some network traffic is not being analyzed.  I have thrown double the resources at our Gateway's than what the sizing tool identified, and still receive this alert.  At this point I have 24GB of RAM and 10 Cores allocated to my Gateway which is only capturing reporting on 1 DC.  At this point I am about ready to scrap ATA because of how resource intense it is.  

    Any ideas or suggestions?  Does it sound like I have the Promiscuous Port Group configured correctly, or is it possible that I am capturing ALL traffic for the VLAN assigned?  

    Friday, January 20, 2017 3:26 AM

Answers

  • Hello,

    This is a known issue which only happens on VMWare. 

    Dropped port mirror traffic alerts when using lightweight gateway on VMware.

    If you are using domain controllers on VMware virtual machines, you might receive alerts about Dropped port mirrored network traffic. This might happens because of a configuration mismatch in VMware. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine: 

        - TsoEnable
        - LargeSendOffload(IPv4)
        - IPv4 TSO Offload

    Also, consider disabling IPv4 Giant TSO Offload. For more information consult your VMware documentation.

    Best regards,
    Andy LiuPlease remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Friday, January 20, 2017 7:04 AM
    Moderator

All replies

  • Hello,

    This is a known issue which only happens on VMWare. 

    Dropped port mirror traffic alerts when using lightweight gateway on VMware.

    If you are using domain controllers on VMware virtual machines, you might receive alerts about Dropped port mirrored network traffic. This might happens because of a configuration mismatch in VMware. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine: 

        - TsoEnable
        - LargeSendOffload(IPv4)
        - IPv4 TSO Offload

    Also, consider disabling IPv4 Giant TSO Offload. For more information consult your VMware documentation.

    Best regards,
    Andy LiuPlease remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Friday, January 20, 2017 7:04 AM
    Moderator
  • Hi,

    There is a bug related vmware network adapters or their drivers related to "segmentation offload" or it might be due to a misconfiguration in your vmware environment. The resolution is to avoid these alerts is to disable few settings: TsoEnable, LargeSendOffload, IPv4, TSO Offload. Also, consider disabling IPv4 Giant TSO Offload.

    Go to Network Connection Properties-Configure-Advanced Tab and on "TsoEnable", "LargeSendOffload", "IPv4, "TSO Offload" set to 0 to disable.

    TSO and GSO standing for tcp segementation offload and generic segmentation offload means that instead of the CPU breaking up packets, the network card is expected to do it. 
    Consequences of turning it off is that having it on improves performance by reducing CPU load, so they don't experience CPU speed issues until they reach ridiculous amounts of sustained data.

    Some information about vmware issues: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2055140

    Regards,
    Eli.


    Email:eshlomo9@hotmail.com;Twitter:https://twitter.com/EliShlomo1


    Monday, January 23, 2017 12:19 PM
  • I do not have the TSO settings available, but I did disable LargeSendOffload(IPv4) to see if that improves anything.  
    Friday, February 17, 2017 5:54 PM
  • We face the same issues, but I can't seem to fix it using the solution mentioned in the topic.

    We're using Windows Server 2012 R2 and I can't find the options you're talking about.

    What needs to be set exactly? I do see the following options on the Gateway on the capture NIC:

    IPv4 RSO Offload (Disabled)
    Large Send Offload V2 (IPv4) (Disabled)
    TCP Checksum Offload (IPv4) (Rx & Tx Enabled)

    IpV2 RSO Offload and Large Send Offload V2 (IPv4) was enabled which I disabled, but didn't change anything.

    What needs to be done?

    Friday, November 10, 2017 11:03 AM
  • The settings should be:

    TsoEnable, LargeSendOffload, TSO Offload, Giant TSO Offload

    See https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-known-errors

    Are you running a VMware guest machine?

    Friday, November 10, 2017 8:47 PM