When running tcpdump on SAM enabled interfaces, SAM duplicates the packet to be sent to host for tcpdump application and tags it as the copy for tcpdump.
- SAM further continues to process the packet and sends it out on the network if the associated state is found in connection tables.
- If the state is not found, then packet is sent to firewall for further processing, which would further send the packet on network based on the policy configured.
VRRP module ignores the tcpdump tag from SAM and injects the packet into the protocol stack for normal processing.
- This results in host also processing this packet normally and sending it out on the network when found in its connection tables.
- As a result, see 2 packets leaving the firewall for every 1 packet received.
- This issue should occur when VRRP is enabled and tcpdump is running on the respective SAM enabled interface.