ENTV Sys_check descriptions

Descriptions and suggestions for resolving the following sys_checks: out_to_out, duplicate_pct, tcp_asymmetry, non_ip_drops_pct, dns_asymmetry, unsupported_ip_proto_drops_pct, fwdd_drops_pct

Overview

Traffic Validation allows customers to see information related to the network traffic observed by Sensors paired to the Brain. This information is used to determine if the network traffic being observed meets quality standards required for detection and further processing. Traffic Validation analyzes the network traffic Sensors are monitoring and reports statistics over a selectable time range in the past 24 hours. For details please see Traffic validation (ENTV).

Vectra introduced customer facing notifications for important health events that has potential to impact functionality and coverage. Each notification below has a brief description and a suggested solution to address the problem. Please reach out to Vectra representative if the issue cannot be remediated.

Health Events

Note: All descriptions and recommendations are relevant for both aggregate and sensor level alerts.

Asymmetric TCP (tcp_asymmetry)

Indicates that TCP traffic is only observed in one direction. For accurate analysis, both directions of a session must be visible to the same sensor. When TCP asymmetry is high, Vectra may miss portions of traffic, which can reduce the effectiveness of detection models. Maintaining symmetric visibility ensures optimal detection accuracy and overall product performance.
- Recommendation: Inspect how traffic is captured to ensure that the packet source is healthy, and that Vectra is positioned to see both sides of the communication.

Asymmetric DNS (dns_asymmetry)

Indicates that DNS traffic is only observed in one direction. For accurate analysis, both directions of a session must be visible to the same sensor. When DNS asymmetry is high, Vectra may miss portions of traffic, which can reduce the effectiveness of detection models. Maintaining symmetric visibility ensures optimal detection accuracy and overall product performance.
- Recommendation: Inspect how traffic is captured to ensure that the packet source is healthy, and that Vectra is positioned to see both sides of the communication.

Duplication (duplicate_pct)

Packets have been seen more than once within the environment (aggregate check) or at the sensor level. When duplication is high, the system expends unnecessary resources processing identical packets. Reducing duplication improves overall system performance and decreases workload, allowing Vectra to operate more efficiently.
- Recommendation: Review your network capture configuration to ensure that traffic is not being duplicated across multiple capture points. Specifically, verify that the same traffic (with an identical 5-tuple) isn’t being captured in multiple locations, such as when both transmit (TX) and receive (RX) streams are mirrored on SPAN ports. To optimize performance and processing efficiency, configure your capture setup so that each packet is captured only once.

Out to Out (out_to_out)

Network communications are observed between two external IP addresses. This typically indicates that the Vectra sensor is positioned outside of the internal network or that certain internal subnets are missing from the configuration. When internal subnets are incomplete, Vectra may misclassify traffic as Out-to-Out instead of In-to-Out or In-to-In, which can affect detection accuracy and algorithm performance.
- Recommendation: Review and update the internal subnet configuration under the Data Sources tab to ensure all relevant internal IP ranges are included.

**Suggested Metadata Query**: Customers with Respond UX or Stream/Recall can query their metadata to see what IP addresses Vectra considers external

SELECT id.orig_h AS external_source_ip, id.resp_h AS external_destination_ip, COUNT(\*) AS session_count

FROM network.isession.\_all

WHERE local_orig = false AND local_resp = false

AND timestamp BETWEEN date_add('day', -14, now()) AND now()

GROUP BY id.orig_h, id.resp_h

ORDER BY session_count DESC

LIMIT 100

\*For Recall/Stream queries the format would be: local_resp:false and local_orig:false

</details>

Unsupported Traffic

Encapsulation type and IP protocols errors are normally the culprit. Visit this support documentation to view what encapsulation Vectra supports: https://support.vectra.ai/vectra/article/KB-VS-1180.
Unsupported IP Protocols (unsupported_ip_proto_drops_pct)
- Percentage of traffic that IP traffic that Vectra doesn't analyze.
  - Recommendation: Use Selective PCAP tool on Network Stats > Packet Capture page to determine what the traffic looks like. This could indicate some encapsulation or configuration error on the mirror interface.
Non-IP Packet Drops (non_ip_drops_pct)
- Percentage of traffic that has ethertypes that Vectra cannot process. Please consider a different encapsulation strategy for packets forwarded to the sensor.
  - Recommendation: Use Selective PCAP tool on Network Stats > Packet Capture page to determine what the traffic looks like. This could indicate some encapsulation or configuration error on the mirror interface.

Internal Constraints

NIC Packet Drops (fwdd_drops_pct)

Packets that were dropped due to hardware or software issues on the network interface card. *
- Recommendation: Please contact your Vectra representative if this alert is firing

PreviousTraffic validation (ENTV)NextNetwork traffic recommendations

Last updated 6 days ago

Was this helpful?

Good evening

hashtagOverview

hashtagHealth Events

hashtagAsymmetric TCP (tcp_asymmetry)

hashtagAsymmetric DNS (dns_asymmetry)

hashtagDuplication (duplicate_pct)

hashtagOut to Out (out_to_out)

hashtagUnsupported Traffic

hashtagInternal Constraints

hashtagNIC Packet Drops (fwdd_drops_pct)