Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Security Monitoring - Connections

In Security Monitoring under "connections" a majority of the sensors have "paused" as a status! What is this? How did it happen? And how do I fix it?

1 REPLY
Cisco Employee

Re: Security Monitoring - Connections

Connection states for sensors are written into a table in the database by the receiver collector object (the IDS_Receiver daemon). That status is then what is presented in this web page. This means that if the receiver thread hangs or is not currently running, whatever state was last written to the database table will be displayed. Check your IDS_Receiver process on the server to make sure it is still running. Also keep in mind that this web page is static, so the status of any particular sensor won't change unless you refresh the page.

As for what the Paused state means precisely:

Means that the collector for this device is waiting for the system to clear a large backload of data that is waiting to be inserted into the database. This can occur if the rate of flow of events overwhelms the receiver and usually indicates that the database has grown too large (more than 2 million IDS or Syslog events) or the system is very busy (servicing event viewer, generating reports, pruning, etc.). It usually takes several minutes (fifteen or more) for the system to recover to the point where it can begin collecting events again.

265
Views
4
Helpful
1
Replies
CreatePlease to create content