Sourcefire IDS/IPS VAP under heavy load causes traffic disruption or performance issues
Customer diverted additional traffic towards their IDS in a TAP configuration (external tap or shared promiscuous-mode circuit) and experienced high CPU utilization alarms on IDS/IPS blades coupled with traffic failure or latency issue.
Messages similar to the following may appear in the logs around the time(s) the slowness or disruption is reported:
Dec 31 21:57:52 npm1 kernel: CBS_HB: [Fab-1] Missing heartbeats TO slots =0080
Dec 31 21:57:52 npm1 kernel: xbprc: sdp-6 (slot-8) Bouncing link due to loss of heartbeats ipstat= 0481 opstat= 7811.
ids_1 cbsvapcfgd: [W] No SDP path to NPM1
Under heavy load , an APM sends flow control throttling messages to the NPM. This might cause traffic interruptions or latency issues in the IDS/IPS configurations.
An IDS that is highly utilized can cause backpressure control messages to be generated from the APM towards the NPM, thereby affecting inline traffic on a shared circuit.
Pre 9.7, contact technical support to obtain a pmmon script for the APM(s)
Post 9.7, configure the "passive" mode at the vap-group context
Schedule a failover and reload the affected APMs(s).
Imported Document ID: 000018936
Subscribing will provide email updates when this Article is updated. Login is required.