topic Re: FTD 6.2.3 - preserve-connection query in Network Security

FTD 6.2.3 - preserve-connection query

plwalsh — Fri, 21 Feb 2020 16:09:14 GMT

Hi,

I'm running FTD 6.2.3.3 (Build 76) and the 'show conn count' output now includes figures for the 'snort preserve-connection' feature which is enabled by default in 6.2.3. My output shows a figure of over 28M for enabled, and a similar figure for max-enabled. I've 100K connections through the device.

show conn cou
105257 in use, 135542 most used
Inspect Snort:
preserve-connection: 28096416 enabled, 251 in effect, 28096428 most enabled, 9306 most in effect

The enabled figure contsantly rises e.g. last week it was 19M and the max-enabled was about 19M also. Can anyone tell me if that enabled figure is correct or is there a potential bug?

Regards,

Piaras Walsh

Re: FTD 6.2.3 - preserve-connection query

Mohammed al Baqari — Mon, 27 Aug 2018 10:49:05 GMT

I don't think its a bug. It keeps ramping up indicating the total number of
preserved connections since last reboot. The in effect indicate the
concurrent ones.

It should be same or close to most enabled one. However, they can different
if some connections were dropped during snort restart

Re: FTD 6.2.3 - preserve-connection query

fatalXerror — Tue, 06 Nov 2018 05:20:04 GMT

@Mohammed al Baqari, just want to ask because i have an issue regarding constant SNORT CPU high utilization and the TAC said it is somehow related to this snort preserved-connection. Do you have any experiences before that when I have a lot of preserved-connections the CPU will go high? thanks

Re: FTD 6.2.3 - preserve-connection query

Abheesh Kumar — Tue, 06 Nov 2018 05:46:37 GMT

Hi, Check with TAC may be you are hitting with below bug, this is not visible to customer.

CSCvj83264

HTH

ABHEESH