Troubleshooting Guide: Network Deployment

Issues

The purpose of the following article is to advise network infrastructure teams on how to resolve deployment
issues in their networks. While FireEye Support is unable to resolve customer networking issues, we do offer
professional services that can assist you.

Background

FireEye's appliances are implemented into an immense variety of corporate networks with unique policies,
rules and needs. Regardless of the deployment, it is critical to place FireEye appliances correctly in the
network to protect the environment.

If you suspect there is a problem with the traffic the NX Series appliance is receiving, we suggest you follow the
troubleshooting steps below:

Section 1. Identifying Network Deployment Issues

From the CLI, confirm that web analysis statistics are increasing over time.

• On x3xx models, run show web-analysis stats command:

hostname > enable
hostname # show web-analysis stats

1
Troubleshooting Guide: Network Deployment Issues

• On x4xx/x5xx models, run show fume network stats command:

hostname > enable
hostname # show fume network stats

2
Troubleshooting Guide: Network Deployment Issues

Section 2. Troubleshooting Network Deployment Issues

Run a deployment check and analyze the output with the network protocol analyzer tool of your choice.

3
Troubleshooting Guide: Network Deployment Issues

4
Troubleshooting Guide: Network Deployment Issues

For this example, Wireshark is used.

1. Run the following display filters to limit the displayed packets to the types of flows the NX will flag.
tcp.analysis.retransmission
tcp.analysis.out_of_order
tcp.analysis.duplicate_ack
tcp.analysis.ack_lost_segment
tcp.analysis.lost_segment

To combine these into a single filter that displays all packets matching any of the selected criteria, use:
tcp.analysis.retransmission||tcp.analysis.ack_lost_segment||tcp.analysis.lost_segment||
tcp.analysis.duplicate_ack||tcp.analysis.out_of_order

Any item marked in red and black by Wireshark indicates an issue and should be researched further.

The following tshark command generates comma-separated output which lists source IP, destination IP and
Wireshark note/comment. This command uses exactly the same display filters listed above. If you want just
some of the types, for example only the duplicate acknowledgements type, use just that display filter.
tshark -n -r <pcap_file_name> -T fields -E header=y -E separator=',' -e ip.src -e eth.src -
e ip.dst -e eth.dst -e _ws.col.Info -e tcp.stream -e vlan.id -Y "tcp.analysis.retransmission||
tcp.analysis.ack_lost_segment||tcp.analysis.lost_segment||tcp.analysis.duplicate_ack||
tcp.analysis.out_of_order" > <analysis_output_file_name>

The output can be directly analyzed using grep or awk or redirected (dumped) to a file for analysis in any
spreadsheet program of your choice (i.e. MS Excel).

For example, to pull the top 20 sources and destinations:

awk -F "," '{print$1}' < <analysis_output_file_name> | sort | uniq -c | sort -rn | head -20

awk -F "," '{print$2}' < <analysis_output_file_name> | sort | uniq -c | sort -rn | head -20

This analysis will give you a better understanding of your network traffic and a general overview of what really
needs to be improved in your infrastructure not to miss a single package of information.
If you don't have the resources, expertise or time to carry out this analysis, FireEye offers proffesional service
engagement. Please contact your local Account Manager for more details.