Technical Tip: Packet drop observed on SSLVPN interface but no impact on the network performance

In SSL VPN tunnel mode, when the user transfers the file from an internal server, and during the transfer process, if the tunnel is torn down, the tx packet drops on the ssl.root interface may increment.

This is because the server still tries to send the packets to the destination but the firewall will fail to find the client's address in the ssl.root interface. This is an expected behavior and happens for a short period.

Example:

FGT # diag net interface list ssl.root

if=ssl.root family=00 type=65534 index=41 mtu=1500 link=0 master=0
ref=558 state=start present fw_flags=0 flags=up p2p run noarp multicast
Qdisc=noqueue
stat: rxp=888604731 txp=864898063 rxb=416714014182 txb=510921789377 rxe=0 txe=0 rxd=0 txd=9692768 mc=0 collision=0 @ time=1728498494
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=3 arp_entry=0 refcnt=558

However, if slow SSLVPN throughput is caused by packet drops, then the queue drop counters are likely to increment in the diag vpn ssl mux-stat command. Run this command multiple times to verify the counters

name=ssl.root id=0x0
mux count = 0x1
mux dat count = 0
tx dropped = 2
queue dropped = 0
unwanted dropped = 0
multicast dropped = 2
addr not found = 0
max queue length observed = 0
total queue length observed = 0