There could be many factors on the local Windows system which impact the performance of the Snare agent. You would need to monitor the Windows systems and see if they are sending the events when they happen, if they are not the issue is with the operation of Snare. This can be performed by running Wireshark on the Windows host and watching communication between the host and the CS-MARS.
If the messages are being sent when they happen, you need to monitor the CS-MARS and verify they are arriving as expected. This can be performed by running 'tcpdump' on the CLI of the CS-MARS and monitoring communication between the host in question and CS-MARS.
Depending on where the delay is occurring you would then need to troubleshoot Snare for client-side delays. If the events are arriving at teh CS-MARS when expected, open a service request witch Cisco TAC to troubleshoot CS-MARS more closely.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...