You may see high buffer entries and flow table usage on a single NPM in a dual NPM X-Series environment that includes Sourcefire serialized with another security application, resulting in alarms such as those shown below:
Sep 23 20:51:38 CBS# cbsalarmlogrd: AlarmID 19404 | Wed Sep 23 20:51:38 2015 | major | np1 | flowTableFull | Flow table full or near capacity Sep 23 20:52:03 CBS# cbsalarmlogrd: AlarmID 19406 | Wed Sep 23 20:52:03 2015 | major | np1 | npmBuffersUsageHigh | NPM buffer usage
If the traffic displays an uneven flow on a specific NPM in a dual NPM system, check the SourceFire configuration to determine if it is set up as a "tap" with an interface on a single NPM. Sourcefire in a tap configuration will support multi-link trunk.
On a normal basis, the Sourcefire IPS is set up for 'tap mode', meaning the application requires the stream of traffic to come in on a single interface for a single-tap circuit (promiscous-mode). The caveat is, since it is a tap configuration, if multi-link is configured, the delivery of SPANed packets towards the listening interfaces will potentially be delivered out of order to the Sourcefire VAP group, and is only able to use a single interface in order to not have the application report erroneous events.
To remedy the situation, you could move one of the circuits/interfaces to an open port on the second NPM (NPM2). For example, you could move the 1/5 circuit/interface configuration in the configuration above to circuit/interface 2/5 on NPM2, as shown below. In essence, while it is true that the Sourcefire IPS is not able to do multi-link, you could try to move another IPS instance and its interface to another NPM. This will additionally disperse traffic from a single NPM to the second NPM to avoid any uneven traffic flow distribution.