Hi all,

this is the answer I found in Cisco website, but according to this, I didnot make any updates or any configuration changes, but stilll my sensing interface is going down. I'm not even getting the error messages which they have mentioned at the end.

Ans: During a signature update and reconfigurations, sensorApp stops to process packets as it processes the new signatures in the update. The network driver detects that sensorApp has stopped and pulls any new packets from the buffer. So the network driver does different things, which depends on the configuration and sensor model:

Promiscuous Interface—It brings the link down on the interfaces, and brings the link back up once sensorApp starts to monitor again.

Inline Interface or Inline Vlan Pair—It depends on the Bypass setting:

• Bypass Auto—The driver keeps the link up and begins to pass packets through without analysis. It then reverts back to sending the packets through sensorApp once sensorApp starts to monitor again.

  
  

• Bypass Off—The driver brings the link down on the interfaces, which is the same as in promiscuous mode, and brings them back up once sensorApp starts to monitor again.

  
  

So, if sensor app does not pull packets from the buffer, which possibly occurs because there is no interface configured to process packets, then the driver can put the interface in a down state.

These logs are seen when the sensing interface flaps:

28Jun2011 09:03:09.483 6050.885 interface[409] Cid/W errWarning Inline databypass has started. 28Jun2011 09:03:13.639 4.156 interface[409] Cid/W errWarning Inline databypass has stopped. 28Jun2011 09:19:23.922 970.283 interface[409] Cid/W errWarning Inline databypass has started. 28Jun2011 09:19:27.486 3.564 interface[409] Cid/W errWarning Inline databypass has stopped.