https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299378#M68385 <HTML><HEAD></HEAD><BODY><P>May be there are lot of small packets going through the sensor.</P><P>Activate flood-signatures and analyze alerts.</P></BODY></HTML> Fri, 06 Nov 2009 08:40:24 GMT andrey.dugin 2009-11-06T08:40:24Z https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299374#M68367 <P>Dear ALL,</P><P></P><P>Issue: IDSM is showing 100% Inspection(Sensor) Load during certain periods daily which causes more than 2000 ms delay in the network.This issue occurs after upgrading the signature engine to E3</P><P></P><P>We have also monitored the traffic during 100% Load on PRTG but traffic has still in normal utilization 40 to 50Mb.</P><P></P><P>I have found the same 100% Load issue on the Cisco TAC case.</P><P></P><P>Has any one faced this issue before in their workaround. Actually we are not sure about our issue. Is our issue also related to SMTP traffic or not as in the TAC case.</P><P>How can we identify our issue?</P><P></P><P>Please see the following TAC case:</P><P></P><P>Symptom:</P><P>IDSM is showing high CPU and a "processing load percentage" of 100 during certain periods daily. Traffic is affected at those times.</P><P></P><P>Conditions:</P><P>Issue has been identified to be linked to smtp traffic.</P><P></P><P><A class="jive-link-custom" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsz81580&amp;from=summary" target="_blank">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsz81580&amp;from=summary</A> </P><P></P><P>How can we solve/identify this issue? </P><P></P><P>Please provide us the appropriate solution for this issue.</P><P></P><P>Here are the details of IDSM-2:</P><P></P><P>Our IDSM is in Inline VLAN-Pair Mode:</P><P></P><P>Inline TCP Tracking Mode: Interface and VLAN</P><P></P><P>Core Switch IPS Etherchannel Setup:</P><P>-----------------------------------</P><P></P><P>Group 5: IDSM(A) and IDSM(B) Port x/7</P><P>Group 6: IDSM(A) and IDSM(B) Port x/8</P><P></P><P>Some VLAN Pair(s) are on interface x/7 and others are on x/8</P><P></P><P>There is an FWSM module also, which acts as the default gateway for all internal VLANs.</P><P></P><P>All signatures are in default state.</P><P></P><P>IPS1 version Detail:</P><P>Cisco Intrusion Prevention System, Version 6.1(2)E3</P><P>Signature Update S440.0</P><P>OS Version:2.4.30-IDS-smp-bigphys</P><P>Platform:WS-SVC-IDSM-2</P><P>Cisco6513 IOS: Version 12.2(18)SXF17 </P><P></P><P>Thanks in advance.</P><P></P><P>Regards,</P><P>Anser</P> Sun, 10 Mar 2019 11:48:33 GMT https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299374#M68367 Muhammad Anser Khan 2019-03-10T11:48:33Z https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299375#M68372 <HTML><HEAD></HEAD><BODY><P>You don't say how much traffic you are trying to push through that IDSM, but if you overload it, you will get delay and lost packets.</P><P>You can try putting the sensor into promisicous mode and doing shunning on the FWSM. That way, no matter how badly the sensor performs, you will not distrupt traffic.</P></BODY></HTML> Mon, 26 Oct 2009 16:21:19 GMT https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299375#M68372 rhermes 2009-10-26T16:21:19Z https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299376#M68377 <HTML><HEAD></HEAD><BODY><P>This is not a traffic issue. Traffic shows very low during 100% sensor load.</P><P></P><P>Regards,</P><P>Anser</P></BODY></HTML> Tue, 27 Oct 2009 05:58:34 GMT https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299376#M68377 Muhammad Anser Khan 2009-10-27T05:58:34Z https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299377#M68380 <HTML><HEAD></HEAD><BODY><P>I get "Red" status events on "inspectionLoad" very frequently. I am not quite sure if it has always been this frequent. I wonder if the "healthAndSecurity" status alerts can be sent off to a syslog server for long term storage, review and analysis. </P><P></P><P>Are you getting "Red" status events on "inspectionLoad"? Just recently or all the time.</P><P></P><P>There is another thread in this forum about something like highcpu or something like that. I am not sure if that one was very specific. </P><P></P><P>I wonder if this is related to Cisco updating signature files with new sigs are enabled by default related to 5 year old vulnerabilities. </P><P></P><P></P><P></P><P>evStatus: eventId=REMOVED</P><P>vendor=Cisco </P><P> originator: </P><P> hostId: REMOVED </P><P> appName: monitor </P><P> appInstanceId: 345 </P><P> time: Nov 03, 2009 19:08:51 UTC offset=-300 timeZone=EST </P><P> healthAndSecurity: </P><P> description: Health and security status </P><P> healthStatus: red </P><P> securityStatus: </P><P> virtualSensor: vs0 </P><P> status: green </P><P> changed: </P><P> metricValue: name=inspectionLoad </P><P> current: </P><P> value: 94 </P><P> status: red </P><P> previous: </P><P> value: 17 </P><P> status: green </P><P> thresholds: </P><P> type: upper </P><P> yellow: 80 </P><P> red: 91 </P><P> warning: </P><P> metricStatus: name=inspectionLoad </P><P> status: red </P><P></P></BODY></HTML> Tue, 03 Nov 2009 20:40:41 GMT https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299377#M68380 bnidacoc 2009-11-03T20:40:41Z https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299378#M68385 <HTML><HEAD></HEAD><BODY><P>May be there are lot of small packets going through the sensor.</P><P>Activate flood-signatures and analyze alerts.</P></BODY></HTML> Fri, 06 Nov 2009 08:40:24 GMT https://community.cisco.com/t5/network-security/100-sensor-load-during-some-period/m-p/1299378#M68385 andrey.dugin 2009-11-06T08:40:24Z