Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Gold

4270 Experiences

Has anyone else been running a 4270 sensor in production with traffic at 1Gb/s or more?

I'm interested in discovering if the symptoms we're seeing are unique with the default signature policy and 6.0(5)E2:

Event Store wrapping every 60-90 seconds, making it difficult to pull events fast enough.

Dropping packets, usually associated with memory exhaustion, requiring a reload to clean up every few hours.

Sensor crashes, possibly due to the causes above.

We have been working with Cisco on these issues, but they seem to be unaware of anyone else experiencing these seemingly unavoidable problems.

1 REPLY
Cisco Employee

Re: 4270 Experiences

The EventStore wrapping around is actually due to the fact that the events are not pulled out fast enough, not the other way around. A general recommendation when facing such issues would be to identify heavy firing signatures and reduce them to silence or almost (as it is quite useless to had millions to time alarm about a TCP segment being retransmitted for instance). The default sig set will have TCP normalization engine alarms enabled (1330's) , this is the first ones to look at. Others more than likely shoot a lot too. The command to check is "show stat virt"

The sensors are usually very good at analysing traffic very fast but once eventing start and actions are taken, the load is increasing significantly and this make sense.

178
Views
0
Helpful
1
Replies
CreatePlease to create content