4270 Experiences

Unanswered Question
Aug 19th, 2008
User Badges:
  • Gold, 750 points or more

Has anyone else been running a 4270 sensor in production with traffic at 1Gb/s or more?

I'm interested in discovering if the symptoms we're seeing are unique with the default signature policy and 6.0(5)E2:

Event Store wrapping every 60-90 seconds, making it difficult to pull events fast enough.

Dropping packets, usually associated with memory exhaustion, requiring a reload to clean up every few hours.

Sensor crashes, possibly due to the causes above.

We have been working with Cisco on these issues, but they seem to be unaware of anyone else experiencing these seemingly unavoidable problems.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jdive Fri, 08/29/2008 - 02:28
User Badges:
  • Cisco Employee,

The EventStore wrapping around is actually due to the fact that the events are not pulled out fast enough, not the other way around. A general recommendation when facing such issues would be to identify heavy firing signatures and reduce them to silence or almost (as it is quite useless to had millions to time alarm about a TCP segment being retransmitted for instance). The default sig set will have TCP normalization engine alarms enabled (1330's) , this is the first ones to look at. Others more than likely shoot a lot too. The command to check is "show stat virt"

The sensors are usually very good at analysing traffic very fast but once eventing start and actions are taken, the load is increasing significantly and this make sense.


This Discussion