Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

Check Open Files or Sockets

Hello everyone!

We got some alarms on our Ironport regarding "Check Open Files or Sockets". It's been bouncing up and down the last couple of days. What does this check mean? Is it the amount of active TCP connections or is it something connected with the malware/anti-virus engine?

We're currently using version:

AsyncOS Version:          7.6.2-014

We add new customers to the device so it would be natural that the amount of connections would increase.Our warning limit is set to 3000 at the moment and our CPU, Memory etc are still OK. Would you recommend raising the value to 3500?

Everyone's tags (2)
Cisco Employee

Check Open Files or Sockets

Can you provide the exact error(s) as they were presented to you from the appliance?  We sometimes see applications faults with "[Errno 23] Too many open files in system" --- but, want to make sure we are addressing the correct error first...


New Member

Check Open Files or Sockets

Hello Robert

Thank you for your reply. I have tried to look through the logs of the appliance but couldn't find anything. What log contains the information you need? I checked the error log, status log, snmp log and the system log and could not find anything related to open file or sockets. I also tried to search for the message you posted.

It's worth mentioning that it's not the Ironport that is sending us alarms it's our surveillance system. We send and SNMP command to a MIB and we have a warning limit of 3000 connections. We get this message back:

Plugin output:
SNMP WARNING - *3114* | iso.

What exactly is the Open Files or Sockets? Is i the amount of open connections? As mentioned before, the CPU and memory are still good so we don't experience any high loads on the appliance.

Best regards,


Cisco Employee

Check Open Files or Sockets

Correct - this would be the # of open connections on the appliance.  With you running 7.6.2 - I would be interested to know if you were hitting a recently known defect in our RepEng --- and you would be running a higher number of connections out connecting/pending senderbase lookups/results/turn-around.

Without your appliance actually reporting any issues with a application fault, or other administrative notification - you are relying just on the SNMP query for the monitoring of the service and value. 

Check and make sure this is updated:

myesa.local> repengstatus

Component                 Version    Last Updated

repeng_tools              1.2.0-079  03 Mar 2014 13:40 (GMT +00:00)

repeng                    1.2.0-079  03 Mar 2014 13:40 (GMT +00:00)

If not - please run 'repengupdate force', to pull down the latest engine and ruleset.  This should alleviate any connections issues this presents back to the OS, and possibly is increasing the # of connections.