https://community.cisco.com/t5/network-security/ftd-2110-snort3-problem/m-p/5208994#M1116578 <P>It certainly sounds like you have performed much more than the typical troubleshooting on your own. I would agree with <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/182793">@Kasun Bandara</a> that getting support would be the best move at this point. It's odd that management insists on enabling more advanced features but won't pay for TAC support.</P> <P>It wouldn't hurt to upgrade to 7.4.2.1 to get the latest bug fixes.</P> <P>Have you tried disabling the file policy (AMP) in the rules that have it enabled? I find file policies of quite limited value since 90% or more of Internet edge traffic is encrypted and thus not inspectable for Malware payloads (unless you have SSL decryption which only a very small percentage of customers do).</P> Tue, 15 Oct 2024 12:08:55 GMT Marvin Rhoads 2024-10-15T12:08:55Z https://community.cisco.com/t5/network-security/ftd-2110-snort3-problem/m-p/5208878#M1116572 <P><SPAN class="">Hello everyone!</SPAN> <SPAN class="">In</SPAN> <SPAN class="">our</SPAN> <SPAN class="">organization</SPAN><SPAN> we </SPAN><SPAN class="">have</SPAN> <SPAN class="">two</SPAN> <SPAN class="">Cisco</SPAN> <SPAN class="">FTD</SPAN> <SPAN class="">2110s</SPAN><SPAN> managed by </SPAN><SPAN class="">FMC and </SPAN><SPAN class="">configured</SPAN> <SPAN class="">in</SPAN><SPAN> a </SPAN><SPAN class="">HA</SPAN> <SPAN class="">pair</SPAN><SPAN class="">.</SPAN> <SPAN class="">Until</SPAN> <SPAN class="">recently</SPAN><SPAN>, </SPAN><SPAN class="">they</SPAN> <SPAN class="">functioned</SPAN> <SPAN class="">as</SPAN> <SPAN class="">regular</SPAN> <SPAN class="">stateful L3-L4</SPAN> <SPAN class="">firewalls</SPAN><SPAN class="">.</SPAN> <SPAN class="">However</SPAN><SPAN>, a </SPAN><SPAN class="">couple</SPAN><SPAN> of </SPAN><SPAN class="">months</SPAN> <SPAN class="">ago</SPAN><SPAN>, the </SPAN><SPAN class="">authorities</SPAN> <SPAN class="">demanded</SPAN><SPAN> that high-</SPAN><SPAN class="">level</SPAN> <SPAN class="">filtering</SPAN><SPAN> be </SPAN><SPAN class="">enabled</SPAN> <SPAN class="">on</SPAN><SPAN> them</SPAN><SPAN class="">.</SPAN> <SPAN class="">At</SPAN> <SPAN class="">that</SPAN> <SPAN class="">time</SPAN><SPAN>, the </SPAN><SPAN class="">FTD</SPAN> <SPAN class="">version</SPAN> <SPAN class="">was</SPAN> <SPAN class="">7.3.0</SPAN><SPAN class="">.</SPAN> <SPAN class="">I</SPAN> <SPAN class="">started</SPAN> <SPAN class="">by</SPAN> <SPAN class="">configuring</SPAN> <SPAN class="">IPS</SPAN><SPAN class="">.</SPAN><SPAN> I </SPAN><SPAN class="">took</SPAN><SPAN> the </SPAN><SPAN class="">Balanced</SPAN> <SPAN class="">Security</SPAN> <SPAN class="">and</SPAN> <SPAN class="">Connectivity</SPAN> <SPAN class="">policy</SPAN><SPAN> as </SPAN><SPAN class="">a</SPAN> <SPAN class="">basis</SPAN> <SPAN class="">and</SPAN> <SPAN class="">turned</SPAN><SPAN> on </SPAN><SPAN class="">Cisco</SPAN> <SPAN class="">recommendations</SPAN><SPAN class="">.</SPAN> <SPAN class="">Everything</SPAN> <SPAN class="">was</SPAN> <SPAN class="">fine</SPAN><SPAN> for a </SPAN><SPAN class="">month</SPAN><SPAN class="">,</SPAN><SPAN> the </SPAN><SPAN class="">FW</SPAN> <SPAN class="">worked</SPAN> <SPAN class="">stably</SPAN><SPAN class="">.</SPAN> <SPAN class="">During</SPAN> <SPAN class="">this</SPAN> <SPAN class="">month</SPAN><SPAN>, </SPAN><SPAN class="">I</SPAN> <SPAN class="">added</SPAN> <SPAN class="">several</SPAN> <SPAN class="">URL</SPAN> <SPAN class="">rules</SPAN> <SPAN class="">based</SPAN><SPAN> on </SPAN><SPAN class="">our</SPAN> <SPAN class="">organization</SPAN><SPAN>'s </SPAN><SPAN class="">security</SPAN> <SPAN class="">policy</SPAN><SPAN class="">.</SPAN> <SPAN class="">Then</SPAN><SPAN> I </SPAN><SPAN class="">decided</SPAN><SPAN> to </SPAN><SPAN class="">turn</SPAN><SPAN> on </SPAN><SPAN class="">AMP</SPAN><SPAN class="">.</SPAN> <SPAN class="">Two</SPAN> <SPAN class="">weeks</SPAN> <SPAN class="">after</SPAN> <SPAN class="">that</SPAN><SPAN>, </SPAN><SPAN class="">we</SPAN> <SPAN class="">had</SPAN><SPAN> a </SPAN><SPAN class="">Snort3 </SPAN><SPAN>crash </SPAN><SPAN class="">with</SPAN><SPAN> the </SPAN><SPAN class="">error</SPAN> <EM><STRONG><SPAN class="">The</SPAN> <SPAN class="">Primary</SPAN> <SPAN class="">Detection</SPAN> <SPAN class="">Engine</SPAN> <SPAN class="">process</SPAN> <SPAN class="">terminated</SPAN> <SPAN class="">unexpectedly</SPAN> <SPAN class="">1</SPAN> <SPAN class="">time</SPAN><SPAN class="">(</SPAN><SPAN class="">s</SPAN><SPAN class="">)</SPAN></STRONG></EM><SPAN class="">.</SPAN><SPAN> I </SPAN><SPAN class="">decided</SPAN> <SPAN class="">not</SPAN> <SPAN class="">to</SPAN> <SPAN class="">jump</SPAN><SPAN> to </SPAN><SPAN class="">conclusions</SPAN> <SPAN class="">and</SPAN> <SPAN class="">left</SPAN> <SPAN class="">everything</SPAN> <SPAN class="">as</SPAN><SPAN> it </SPAN><SPAN class="">is</SPAN><SPAN class="">,</SPAN> <SPAN class="">I</SPAN> <SPAN class="">could</SPAN> <SPAN class="">not</SPAN> <SPAN class="">determine</SPAN><SPAN> the </SPAN><SPAN class="">cause</SPAN><SPAN> of the </SPAN><SPAN class="">crash</SPAN><SPAN class="">.</SPAN> <SPAN class="">A</SPAN> <SPAN class="">week</SPAN><SPAN> later, the </SPAN><SPAN class="">situation</SPAN> <SPAN class="">repeated</SPAN><SPAN> itself </SPAN><SPAN class="">and</SPAN> <SPAN class="">continued</SPAN><SPAN> to </SPAN><SPAN class="">repeat</SPAN><SPAN> for </SPAN><SPAN class="">another</SPAN> <SPAN class="">month</SPAN> <SPAN class="">(</SPAN><SPAN class="">once</SPAN><SPAN> or </SPAN><SPAN class="">twice</SPAN> <SPAN class="">a</SPAN> <SPAN class="">week</SPAN> <SPAN class="">we</SPAN> <SPAN class="">had</SPAN><SPAN> Snort3 </SPAN><SPAN class="">crash</SPAN><SPAN class="">)</SPAN><SPAN class="">.</SPAN><SPAN><BR /><BR />I </SPAN><SPAN class="">found</SPAN> <SPAN class="">that</SPAN> <SPAN class="">Snort3</SPAN> <SPAN class="">could</SPAN> <SPAN class="">crash</SPAN> <SPAN class="">due</SPAN><SPAN> to </SPAN><SPAN class="">SMB</SPAN> <SPAN class="">traffic</SPAN> <SPAN class="">generated</SPAN><SPAN> by the </SPAN><SPAN class="">attacker</SPAN> <A href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-smbsnort3-dos-pfOjOYUV" target="_self"><SPAN class="">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-smbsnort3-dos-pfOjOYUV</SPAN></A><SPAN><BR /><BR />The </SPAN><SPAN class="">security</SPAN> <SPAN class="">department</SPAN><SPAN> and I did </SPAN><SPAN class="">not</SPAN> <SPAN class="">find</SPAN> <SPAN class="">any</SPAN> <SPAN class="">signs</SPAN><SPAN> of </SPAN><SPAN class="">penetration</SPAN> <SPAN class="">into</SPAN> <SPAN class="">our</SPAN> <SPAN class="">network</SPAN><SPAN>, </SPAN><SPAN class="">however</SPAN><SPAN>, </SPAN><SPAN class="">I</SPAN> <SPAN class="">decided</SPAN><SPAN> to </SPAN><SPAN class="">exclude</SPAN> <SPAN class="">SMB</SPAN> <SPAN class="">traffic</SPAN><SPAN> by </SPAN><SPAN class="">placing</SPAN> <SPAN class="">it</SPAN> <SPAN class="">in</SPAN><SPAN> the </SPAN><SPAN class="">Prefilter</SPAN> <SPAN class="">Policy</SPAN><SPAN class="">.</SPAN> <SPAN class="">However</SPAN><SPAN>, </SPAN><SPAN class="">this</SPAN><SPAN class="">,</SPAN> <SPAN class="">as</SPAN> <SPAN class="">expected</SPAN><SPAN class="">,</SPAN><SPAN> did </SPAN><SPAN class="">not</SPAN> <SPAN class="">help</SPAN><SPAN class="">.</SPAN> <SPAN class="">After</SPAN> <SPAN class="">that</SPAN><SPAN>, I </SPAN><SPAN class="">decided</SPAN><SPAN> to </SPAN><SPAN class="">update</SPAN> <SPAN class="">FTD</SPAN> <SPAN class="">to</SPAN><SPAN> the </SPAN><SPAN class="">latest</SPAN> <SPAN class="">version</SPAN> <SPAN class="">available</SPAN> <SPAN class="">at</SPAN> <SPAN class="">that</SPAN> <SPAN class="">time</SPAN><SPAN>, </SPAN><SPAN class="">7.4.1</SPAN><SPAN class="">.</SPAN> <SPAN class="">After</SPAN><SPAN> the </SPAN><SPAN class="">update</SPAN><SPAN>, the </SPAN><SPAN class="">problem</SPAN> <SPAN class="">went</SPAN><SPAN> away </SPAN><SPAN class="">for</SPAN> <SPAN class="">3</SPAN> <SPAN class="">weeks</SPAN><SPAN class="">.</SPAN> <SPAN class="">But</SPAN> <SPAN class="">then</SPAN> <SPAN class="">hell</SPAN> <SPAN class="">broke</SPAN><SPAN> loose</SPAN><SPAN class="">.</SPAN> <SPAN class="">Exactly</SPAN> <SPAN class="">three</SPAN> <SPAN class="">weeks</SPAN><SPAN> later, </SPAN><SPAN class="">at</SPAN> <SPAN class="">around</SPAN> <SPAN class="">10</SPAN><SPAN class="">:</SPAN><SPAN class="">30</SPAN><SPAN>, </SPAN><SPAN class="">FTD</SPAN> <SPAN class="">began</SPAN><SPAN> to </SPAN><SPAN class="">miss</SPAN> <SPAN class="">traffic</SPAN> <SPAN class="">badly</SPAN><SPAN class="">,</SPAN> <SPAN class="">almost</SPAN> <SPAN class="">all</SPAN> <SPAN class="">packets</SPAN><SPAN> were </SPAN><SPAN class="">lost</SPAN><SPAN class="">,</SPAN> <SPAN class="">and</SPAN> <SPAN class="">those</SPAN> <SPAN class="">that</SPAN> <SPAN class="">reached</SPAN> <SPAN class="">had</SPAN><SPAN> a </SPAN><SPAN class="">delay</SPAN> <SPAN class="">of</SPAN> <SPAN class="">2-3</SPAN> <SPAN class="">seconds</SPAN><SPAN class="">.</SPAN> <SPAN class="">Snort</SPAN><SPAN> crash </SPAN><SPAN class="">and </SPAN><SPAN class="">Failover, as it was recently, </SPAN><SPAN>did </SPAN><SPAN class="">not</SPAN> <SPAN class="">occur</SPAN><SPAN class="">.</SPAN> <SPAN class="">There</SPAN> <SPAN class="">were</SPAN><SPAN> no </SPAN><SPAN class="">fresh</SPAN> <SPAN class="">core</SPAN> <SPAN class="">files</SPAN> <SPAN class="">in</SPAN> <SPAN class="">/</SPAN><SPAN class="">ngfw</SPAN><SPAN class="">/</SPAN><SPAN class="">var</SPAN><SPAN class="">/</SPAN><SPAN class="">common</SPAN><SPAN class="">/</SPAN><SPAN class="">,</SPAN> <SPAN class="">analogically</SPAN> <SPAN class="">with</SPAN> <SPAN class="">.</SPAN><SPAN class="">dmp</SPAN> <SPAN class="">in</SPAN> <SPAN class="">/</SPAN><SPAN class="">ngfw</SPAN><SPAN class="">/</SPAN><SPAN class="">var</SPAN><SPAN class="">/</SPAN><SPAN class="">log</SPAN> <SPAN class="">and</SPAN> <SPAN class="">/</SPAN><SPAN class="">ngfw</SPAN><SPAN class="">/</SPAN><SPAN class="">var</SPAN><SPAN class="">/</SPAN><SPAN class="">log</SPAN><SPAN class="">/</SPAN><SPAN class="">crashinfo</SPAN><SPAN class="">.</SPAN> <SPAN class="">Logs</SPAN> <SPAN class="">from</SPAN> <SPAN class="">/</SPAN><SPAN class="">ngfw</SPAN><SPAN class="">/</SPAN><SPAN class="">var</SPAN><SPAN class="">/</SPAN><SPAN class="">log</SPAN><SPAN class="">/</SPAN><SPAN class="">messages</SPAN><SPAN> are </SPAN><SPAN class="">attached</SPAN><SPAN class="">.</SPAN> <SPAN class="">Also</SPAN> <SPAN class="">of</SPAN> <SPAN class="">note</SPAN> <SPAN class="">was</SPAN><SPAN> the </SPAN><SPAN class="">load</SPAN> <SPAN class="">on</SPAN><SPAN> the </SPAN><SPAN class="">CPU</SPAN><SPAN class="">,</SPAN><SPAN> more </SPAN><SPAN class="">precisely</SPAN> <SPAN class="">on</SPAN><SPAN> the </SPAN><SPAN class="">6th</SPAN> <SPAN class="">and</SPAN> <SPAN class="">10th</SPAN> <SPAN class="">cores</SPAN> <SPAN class="">(</SPAN><SPAN>cpu_load image</SPAN><SPAN class="">)</SPAN><SPAN class="">,</SPAN> <SPAN class="">and</SPAN> <SPAN class="">Packet</SPAN> <SPAN class="">Queue</SPAN> <SPAN class="">Receive</SPAN> <SPAN class="">Utilizaton</SPAN> <SPAN class="">(</SPAN><SPAN>snort_load </SPAN><SPAN class="">image</SPAN><SPAN class="">)</SPAN><SPAN class="">.</SPAN> <SPAN class="">Through</SPAN> <SPAN class="">top</SPAN><SPAN>, </SPAN><SPAN class="">I</SPAN> <SPAN class="">looked</SPAN><SPAN> at </SPAN><SPAN class="">which</SPAN> <SPAN class="">processes</SPAN> <SPAN class="">load</SPAN><SPAN> the </SPAN><SPAN class="">6</SPAN> <SPAN class="">core</SPAN> <SPAN class="">(</SPAN><SPAN class="">top</SPAN> <SPAN class="">image</SPAN><SPAN class="">)</SPAN><SPAN class="">,</SPAN> <SPAN class="">syslog</SPAN><SPAN class="">-</SPAN><SPAN class="">ng</SPAN><SPAN> and </SPAN><SPAN class="">fail2ban</SPAN><SPAN class="">-</SPAN><SPAN class="">server</SPAN> <SPAN class="">were</SPAN> <SPAN class="">constantly</SPAN> <SPAN class="">in</SPAN><SPAN> the </SPAN><SPAN class="">top</SPAN><SPAN class="">.</SPAN> <SPAN class="">I</SPAN> <SPAN class="">couldn</SPAN><SPAN>'t draw </SPAN><SPAN class="">any</SPAN> <SPAN class="">useful</SPAN> <SPAN class="">conclusions</SPAN> <SPAN class="">from</SPAN> <SPAN class="">this</SPAN><SPAN class="">.</SPAN><SPAN> I </SPAN><SPAN class="">had</SPAN><SPAN> to </SPAN><SPAN class="">make</SPAN><SPAN> a </SPAN><SPAN class="">switch</SPAN> <SPAN class="">node</SPAN> <SPAN class="">manually</SPAN><SPAN class="">.</SPAN> <SPAN class="">Everything</SPAN> <SPAN class="">worked</SPAN><SPAN class="">.</SPAN> <SPAN class="">The</SPAN> <SPAN class="">next</SPAN> <SPAN class="">day</SPAN><SPAN>, </SPAN><SPAN class="">exactly</SPAN> <SPAN class="">the</SPAN> <SPAN class="">same</SPAN> <SPAN class="">situation</SPAN> <SPAN class="">happened</SPAN> <SPAN class="">(</SPAN><SPAN class="">with</SPAN> <SPAN class="">the</SPAN> <SPAN class="">same</SPAN> <SPAN class="">log</SPAN><SPAN class="">,</SPAN> <SPAN class="">the</SPAN> <SPAN class="">same</SPAN> <SPAN class="">load</SPAN> <SPAN class="">on</SPAN><SPAN> the </SPAN><SPAN class="">CPU</SPAN> <SPAN class="">cores, </SPAN><SPAN class="">snort</SPAN> <SPAN class="">queue utilization and </SPAN><SPAN>syslog-ng, fail2ban-server in top output</SPAN><SPAN class="">)</SPAN><SPAN> at </SPAN><SPAN class="">about</SPAN> <SPAN class="">the</SPAN> <SPAN class="">same</SPAN> <SPAN class="">time</SPAN> <SPAN class="">+</SPAN><SPAN class="">-</SPAN> <SPAN class="">5</SPAN> <SPAN class="">minutes</SPAN><SPAN class="">.</SPAN><SPAN> I </SPAN><SPAN class="">had</SPAN><SPAN> to </SPAN><SPAN class="">manually</SPAN><SPAN> switch off </SPAN><SPAN class="">the</SPAN> <SPAN class="">FW</SPAN> <SPAN class="">again</SPAN><SPAN class="">.</SPAN> <SPAN class="">For</SPAN> <SPAN class="">3</SPAN> <SPAN class="">weeks</SPAN><SPAN>, the </SPAN><SPAN class="">problem</SPAN><SPAN> was </SPAN><SPAN class="">repeated</SPAN> <SPAN class="">day</SPAN><SPAN> after </SPAN><SPAN class="">day</SPAN> <SPAN class="">at</SPAN> <SPAN class="">approximately</SPAN> <SPAN class="">the</SPAN> <SPAN class="">same</SPAN> <SPAN class="">time</SPAN><SPAN class="">,</SPAN> <SPAN class="">except</SPAN><SPAN> on </SPAN><SPAN class="">weekends</SPAN><SPAN class="">,</SPAN> <SPAN class="">when</SPAN><SPAN> the </SPAN><SPAN class="">load</SPAN> <SPAN class="">on</SPAN> <SPAN class="">FTD</SPAN> <SPAN class="">was</SPAN> <SPAN class="">2-3</SPAN> <SPAN class="">times</SPAN> <SPAN class="">less</SPAN> <SPAN class="">than</SPAN> <SPAN class="">on</SPAN> <SPAN class="">weekdays</SPAN><SPAN class="">.</SPAN> <SPAN class="">Since</SPAN><SPAN> the </SPAN><SPAN class="">problem</SPAN> <SPAN class="">appeared</SPAN> <SPAN class="">only</SPAN> <SPAN class="">3</SPAN> <SPAN class="">weeks</SPAN> <SPAN class="">after</SPAN><SPAN> the </SPAN><SPAN class="">update</SPAN><SPAN class="">,</SPAN> <SPAN class="">I</SPAN> <SPAN class="">decided</SPAN> <SPAN class="">that</SPAN> <SPAN class="">it</SPAN><SPAN> had </SPAN><SPAN class="">nothing</SPAN><SPAN> to do </SPAN><SPAN class="">with</SPAN> <SPAN class="">it</SPAN> <SPAN class="">and</SPAN> <SPAN class="">I</SPAN> <SPAN class="">ran</SPAN><SPAN> into </SPAN><SPAN class="">a</SPAN> <SPAN class="">new</SPAN> <SPAN class="">problem</SPAN><SPAN class="">.</SPAN> <SPAN class="">Apparently</SPAN><SPAN class="">,</SPAN> <SPAN class="">some</SPAN> <SPAN class="">specific</SPAN> <SPAN class="">traffic</SPAN> <SPAN class="">appeared</SPAN> <SPAN class="">in</SPAN> <SPAN class="">our</SPAN> <SPAN class="">network</SPAN> <SPAN class="">that</SPAN> <SPAN class="">disabled</SPAN> <SPAN class="">FTD</SPAN> <SPAN class="">(</SPAN><SPAN class="">although</SPAN> <SPAN class="">in</SPAN> <SPAN class="">fact</SPAN> <SPAN class="">it</SPAN> <SPAN class="">sounds</SPAN> <SPAN class="">strange</SPAN><SPAN class="">,</SPAN> <SPAN class="">because</SPAN> <SPAN class="">at</SPAN> <SPAN class="">that</SPAN> <SPAN class="">time</SPAN> <SPAN class="">we</SPAN><SPAN> did </SPAN><SPAN class="">not</SPAN> <SPAN class="">introduce</SPAN> <SPAN class="">any</SPAN> <SPAN class="">new</SPAN> <SPAN class="">products</SPAN> <SPAN class="">and</SPAN> <SPAN class="">traffic</SPAN> <SPAN class="">could</SPAN> <SPAN class="">hardly</SPAN> <SPAN class="">change</SPAN> <SPAN class="">significantly</SPAN><SPAN class="">)</SPAN><SPAN class="">.</SPAN><SPAN> An </SPAN><SPAN class="">experienced</SPAN> <SPAN class="">colleague</SPAN> <SPAN class="">from</SPAN> <SPAN class="">another</SPAN> <SPAN class="">organization</SPAN> <SPAN class="">advised</SPAN> <SPAN class="">me</SPAN><SPAN> to </SPAN><SPAN class="">exclude</SPAN> <SPAN class="">elephant</SPAN> <SPAN class="">flows</SPAN> <SPAN class="">from</SPAN><SPAN> a high-</SPAN><SPAN class="">level</SPAN> <SPAN class="">inspection</SPAN><SPAN class="">,</SPAN> <SPAN class="">since</SPAN> <SPAN class="">in</SPAN> <SPAN class="">his</SPAN> <SPAN class="">opinion</SPAN> <SPAN class="">these</SPAN> <SPAN class="">flows</SPAN> <SPAN class="">may</SPAN> <SPAN class="">be</SPAN><SPAN> the </SPAN><SPAN class="">cause</SPAN><SPAN> of </SPAN><SPAN class="">failures</SPAN><SPAN class="">.</SPAN> <SPAN class="">I</SPAN> <SPAN class="">caught</SPAN> <SPAN class="">all</SPAN><SPAN> the </SPAN><SPAN class="">elephant</SPAN> <SPAN class="">flows</SPAN> <SPAN class="">and</SPAN> <SPAN class="">put</SPAN> <SPAN class="">them</SPAN> <SPAN class="">in</SPAN><SPAN> the </SPAN><SPAN class="">prefilter</SPAN><SPAN class="">,</SPAN> <SPAN class="">but</SPAN> <SPAN class="">it</SPAN><SPAN> didn</SPAN><SPAN class="">'t</SPAN> <SPAN class="">help</SPAN><SPAN class="">.</SPAN> <SPAN class="">After</SPAN><SPAN> that, I </SPAN><SPAN class="">decided</SPAN><SPAN> to </SPAN><SPAN class="">exclude</SPAN> <SPAN class="">from</SPAN><SPAN> the high-</SPAN><SPAN class="">level</SPAN> <SPAN class="">inspection</SPAN> <SPAN class="">all</SPAN><SPAN> the </SPAN><SPAN class="">threads</SPAN> <SPAN class="">that</SPAN><SPAN> were </SPAN><SPAN class="">passing</SPAN> <SPAN class="">at</SPAN><SPAN> the </SPAN><SPAN class="">time</SPAN><SPAN> of the </SPAN><SPAN class="">failure</SPAN><SPAN class="">.</SPAN> <SPAN class="">It</SPAN> <SPAN class="">only</SPAN> <SPAN class="">helped</SPAN> <SPAN class="">that</SPAN> <SPAN class="">at</SPAN><SPAN> the </SPAN><SPAN class="">moments</SPAN><SPAN> of </SPAN><SPAN class="">failure</SPAN><SPAN>, the </SPAN><SPAN class="">traffic</SPAN><SPAN> did </SPAN><SPAN class="">not</SPAN> <SPAN class="">completely</SPAN> <SPAN class="">stop</SPAN><SPAN> being </SPAN><SPAN class="">skipped</SPAN><SPAN> by </SPAN><SPAN class="">FTD</SPAN><SPAN class="">,</SPAN> <SPAN class="">but</SPAN> <SPAN class="">only</SPAN><SPAN> the </SPAN><SPAN class="">delay</SPAN> <SPAN class="">increased</SPAN> <SPAN class="">slightly</SPAN> <SPAN class="">(</SPAN><SPAN class="">but</SPAN> <SPAN class="">the</SPAN> <SPAN class="">CPU</SPAN> <SPAN class="">load</SPAN><SPAN class="">,</SPAN> <SPAN class="">snort</SPAN> <SPAN class="">queue</SPAN> <SPAN class="">utilization</SPAN> <SPAN class="">and</SPAN> <SPAN class="">processes</SPAN> <SPAN class="">in</SPAN> <SPAN class="">top</SPAN> <SPAN class="">remained</SPAN> <SPAN class="">the</SPAN> <SPAN class="">same</SPAN><SPAN class="">)</SPAN><SPAN class="">.</SPAN> <SPAN class="">After</SPAN><SPAN> that, I </SPAN><SPAN class="">decided</SPAN> <SPAN class="">that</SPAN> <SPAN class="">maybe</SPAN><SPAN> the </SPAN><SPAN class="">problem</SPAN><SPAN> was </SPAN><SPAN class="">specifically</SPAN> <SPAN class="">in</SPAN> <SPAN class="">my</SPAN> <SPAN class="">hardware</SPAN><SPAN class="">,</SPAN> <SPAN class="">but</SPAN> <SPAN class="">no</SPAN><SPAN>… The </SPAN><SPAN class="">new</SPAN><SPAN class="">,</SPAN> <SPAN class="">unambiguously</SPAN> <SPAN class="">serviceable</SPAN> <SPAN class="">FTD</SPAN> <SPAN class="">with</SPAN> <SPAN class="">the</SPAN> <SPAN class="">same</SPAN> <SPAN class="">version</SPAN> <SPAN class="">7.4.1</SPAN> <SPAN class="">and</SPAN> <SPAN class="">Snort3</SPAN> <SPAN class="">behaved</SPAN><SPAN> the </SPAN><SPAN class="">same</SPAN><SPAN> way </SPAN><SPAN class="">on</SPAN> <SPAN class="">our</SPAN> <SPAN class="">network</SPAN><SPAN class="">.</SPAN><BR /><BR /><SPAN class="">I</SPAN><SPAN> did </SPAN><SPAN class="">not</SPAN> <SPAN class="">make</SPAN> <SPAN class="">any</SPAN> <SPAN class="">significant</SPAN> <SPAN class="">changes</SPAN><SPAN> to </SPAN><SPAN class="">the</SPAN> <SPAN class="">policies</SPAN> <SPAN class="">before</SPAN> <SPAN class="">that</SPAN> <SPAN class="">fateful</SPAN> <SPAN class="">day</SPAN><SPAN class="">.</SPAN><SPAN> The </SPAN><SPAN class="">standard</SPAN> <SPAN class="">rules</SPAN><SPAN class="">,</SPAN> <SPAN class="">which</SPAN><SPAN> I </SPAN><SPAN class="">canceled</SPAN> <SPAN class="">a</SPAN> <SPAN class="">few</SPAN> <SPAN class="">days</SPAN> <SPAN class="">before</SPAN><SPAN> the </SPAN><SPAN class="">crash</SPAN><SPAN class="">,</SPAN> <SPAN class="">but</SPAN> <SPAN class="">this</SPAN><SPAN> did not have a </SPAN><SPAN class="">positive</SPAN> <SPAN class="">effect</SPAN> <SPAN class="">on</SPAN><SPAN> the </SPAN><SPAN class="">situation</SPAN><SPAN class="">.</SPAN><SPAN> I </SPAN><SPAN class="">remembered</SPAN> <SPAN class="">that</SPAN> <SPAN class="">relatively</SPAN> <SPAN class="">recently</SPAN><SPAN class="">,</SPAN> <SPAN class="">when</SPAN><SPAN> I was </SPAN><SPAN class="">still</SPAN> <SPAN class="">setting</SPAN><SPAN> up </SPAN><SPAN class="">IPS</SPAN><SPAN>, I </SPAN><SPAN class="">hung</SPAN><SPAN> a </SPAN><SPAN class="">large</SPAN> <SPAN class="">enough</SPAN> <SPAN class="">ACL</SPAN> <SPAN class="">(</SPAN><SPAN class="">more</SPAN><SPAN> than </SPAN><SPAN class="">1000</SPAN> <SPAN class="">records</SPAN><SPAN class="">)</SPAN> <SPAN class="">on</SPAN><SPAN> the </SPAN><SPAN class="">Control</SPAN> <SPAN class="">Plane</SPAN> <SPAN class="">to</SPAN> <SPAN class="">block</SPAN> <SPAN class="">bruteforce</SPAN> <SPAN class="">attempts</SPAN> <SPAN class="">on</SPAN> <SPAN class="">our</SPAN> <SPAN class="">RA</SPAN> <SPAN class="">VPN</SPAN><SPAN class="">.</SPAN><SPAN> I </SPAN><SPAN class="">canceled</SPAN> <SPAN class="">it</SPAN> <SPAN class="">and</SPAN><SPAN class="">...</SPAN> <SPAN class="">lo</SPAN><SPAN> and </SPAN><SPAN class="">behold</SPAN><SPAN class="">!</SPAN><SPAN>!! </SPAN><SPAN class="">4</SPAN> <SPAN class="">weeks</SPAN><SPAN> of </SPAN><SPAN class="">silence</SPAN><SPAN class="">,</SPAN> <SPAN class="">stable</SPAN> <SPAN class="">network</SPAN> <SPAN class="">operation</SPAN> <SPAN class="">and</SPAN> <SPAN class="">no</SPAN> <SPAN class="">failures</SPAN><SPAN class="">.</SPAN> <SPAN class="">But</SPAN><SPAN class="">...</SPAN> <SPAN class="">that</SPAN> <SPAN class="">wasn</SPAN><SPAN class="">'t</SPAN><SPAN> the </SPAN><SPAN class="">end</SPAN><SPAN> of the </SPAN><SPAN class="">story</SPAN><SPAN class="">.</SPAN> <SPAN class="">Exactly</SPAN> <SPAN class="">4</SPAN> <SPAN class="">weeks</SPAN><SPAN> later, it </SPAN><SPAN class="">all</SPAN> <SPAN class="">started</SPAN> <SPAN class="">again</SPAN><SPAN class="">.</SPAN> <SPAN class="">And</SPAN> <SPAN class="">this</SPAN><SPAN> is </SPAN><SPAN class="">terrible</SPAN><SPAN class="">!</SPAN> <SPAN class="">Of</SPAN><SPAN> the </SPAN><SPAN class="">latest</SPAN> <SPAN class="">changes</SPAN><SPAN class="">:</SPAN> <SPAN class="">moved</SPAN><SPAN> the </SPAN><SPAN class="">RA</SPAN> <SPAN class="">VPN</SPAN> <SPAN class="">to</SPAN> <SPAN class="">another</SPAN> <SPAN class="">FTD</SPAN> <SPAN class="">to</SPAN> <SPAN class="">unload</SPAN> <SPAN class="">it</SPAN><SPAN> a </SPAN><SPAN class="">bit</SPAN><SPAN class="">,</SPAN> <SPAN class="">and</SPAN> <SPAN class="">disabled</SPAN> <SPAN class="">AMP</SPAN> <SPAN class="">from</SPAN><SPAN> the </SPAN><SPAN class="">policy</SPAN><SPAN class="">.</SPAN> <SPAN class="">But</SPAN> <SPAN class="">that</SPAN> <SPAN class="">didn</SPAN><SPAN class="">'t</SPAN> <SPAN class="">help</SPAN><SPAN> me either</SPAN><SPAN class="">.</SPAN><SPAN> I </SPAN><SPAN class="">don</SPAN><SPAN class="">'t</SPAN> <SPAN class="">understand</SPAN> <SPAN class="">at</SPAN><SPAN> all </SPAN><SPAN class="">what</SPAN><SPAN> the </SPAN><SPAN class="">problem</SPAN> <SPAN class="">might</SPAN> <SPAN class="">be</SPAN><SPAN class="">.</SPAN><SPAN> I </SPAN><SPAN class="">hope</SPAN> <SPAN class="">for</SPAN> <SPAN class="">your</SPAN> <SPAN class="">help</SPAN><SPAN class="">.</SPAN> <SPAN class="">Unfortunately</SPAN><SPAN class="">,</SPAN> <SPAN class="">our</SPAN> <SPAN class="">organization</SPAN><SPAN> does </SPAN><SPAN class="">not</SPAN><SPAN> have </SPAN><SPAN class="">a</SPAN> <SPAN class="">service</SPAN> <SPAN class="">contract</SPAN></P> Tue, 15 Oct 2024 08:55:32 GMT https://community.cisco.com/t5/network-security/ftd-2110-snort3-problem/m-p/5208878#M1116572 viktar23 2024-10-15T08:55:32Z https://community.cisco.com/t5/network-security/ftd-2110-snort3-problem/m-p/5208895#M1116574 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1377042">@viktar23</a>&nbsp;hi, seems like you did many tries to solve the issue. next step should be the cisco TAC. as you mentioned that you dont have service contract for this devices, i highly recommend to purchase the contract to get support from TAC. because these find of internal issues can solved by the TAC team as you already did many tastings and corrections.</P> Tue, 15 Oct 2024 09:32:39 GMT https://community.cisco.com/t5/network-security/ftd-2110-snort3-problem/m-p/5208895#M1116574 Kasun Bandara 2024-10-15T09:32:39Z https://community.cisco.com/t5/network-security/ftd-2110-snort3-problem/m-p/5208994#M1116578 <P>It certainly sounds like you have performed much more than the typical troubleshooting on your own. I would agree with <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/182793">@Kasun Bandara</a> that getting support would be the best move at this point. It's odd that management insists on enabling more advanced features but won't pay for TAC support.</P> <P>It wouldn't hurt to upgrade to 7.4.2.1 to get the latest bug fixes.</P> <P>Have you tried disabling the file policy (AMP) in the rules that have it enabled? I find file policies of quite limited value since 90% or more of Internet edge traffic is encrypted and thus not inspectable for Malware payloads (unless you have SSL decryption which only a very small percentage of customers do).</P> Tue, 15 Oct 2024 12:08:55 GMT https://community.cisco.com/t5/network-security/ftd-2110-snort3-problem/m-p/5208994#M1116578 Marvin Rhoads 2024-10-15T12:08:55Z https://community.cisco.com/t5/network-security/ftd-2110-snort3-problem/m-p/5209204#M1116597 It also seemed to me that AMP has little effect on the Snort load due to the encrypted traffic. However, given the fact that problems with FTD began after enabling this policy, I decided to disable it anyway. Yes, I have disabled the file policy for all rules in the ACP used. I also disabled adaptive profiles just in case. We have traffic decryption enabled, but it is currently being used in test mode, literally for several traffic flows. Tue, 15 Oct 2024 18:29:15 GMT https://community.cisco.com/t5/network-security/ftd-2110-snort3-problem/m-p/5209204#M1116597 viktar23 2024-10-15T18:29:15Z