Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1380
Views
0
Helpful
3
Replies

Check Open Files or Sockets

philip.jonsson
Level 1
Level 1

‎02-28-2014 01:23 AM

Hello everyone!

We got some alarms on our Ironport regarding "Check Open Files or Sockets". It's been bouncing up and down the last couple of days. What does this check mean? Is it the amount of active TCP connections or is it something connected with the malware/anti-virus engine?

We're currently using version:

AsyncOS Version:          7.6.2-014

We add new customers to the device so it would be natural that the amount of connections would increase.Our warning limit is set to 3000 at the moment and our CPU, Memory etc are still OK. Would you recommend raising the value to 3500?

Labels:
0 Helpful
3 Replies 3

Robert Sherwin
Cisco Employee
Cisco Employee

‎02-28-2014 04:37 AM

Can you provide the exact error(s) as they were presented to you from the appliance?  We sometimes see applications faults with "[Errno 23] Too many open files in system" --- but, want to make sure we are addressing the correct error first...

-Robert

Cheers,
Robert Sherwin
0 Helpful

philip.jonsson
Level 1
Level 1
In response to Robert Sherwin

‎03-03-2014 03:50 AM

Hello Robert

Thank you for your reply. I have tried to look through the logs of the appliance but couldn't find anything. What log contains the information you need? I checked the error log, status log, snmp log and the system log and could not find anything related to open file or sockets. I also tried to search for the message you posted.

It's worth mentioning that it's not the Ironport that is sending us alarms it's our surveillance system. We send and SNMP command to a MIB and we have a warning limit of 3000 connections. We get this message back:

Plugin output:
SNMP WARNING - *3114* | iso.3.6.1.4.1.15497.1.1.1.19.0=3114

What exactly is the Open Files or Sockets? Is i the amount of open connections? As mentioned before, the CPU and memory are still good so we don't experience any high loads on the appliance.

Best regards,

Philip

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to philip.jonsson

‎03-03-2014 05:55 AM

Correct - this would be the # of open connections on the appliance.  With you running 7.6.2 - I would be interested to know if you were hitting a recently known defect in our RepEng --- and you would be running a higher number of connections out connecting/pending senderbase lookups/results/turn-around.

Without your appliance actually reporting any issues with a application fault, or other administrative notification - you are relying just on the SNMP query for the monitoring of the service and value. 

Check and make sure this is updated:

myesa.local> repengstatus

Component                 Version    Last Updated

repeng_tools              1.2.0-079  03 Mar 2014 13:40 (GMT +00:00)

repeng                    1.2.0-079  03 Mar 2014 13:40 (GMT +00:00)

If not - please run 'repengupdate force', to pull down the latest engine and ruleset.  This should alleviate any connections issues this presents back to the OS, and possibly is increasing the # of connections.

-Robert

Cheers,
Robert Sherwin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents