cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11486
Views
10
Helpful
6
Replies
kyleharris
Beginner

Frequent drain of Connection Event - CSCuz86604

This bug is also manifesting itself on SF IPS on SSD version 6.2.x

1 ACCEPTED SOLUTION

Accepted Solutions

We are hitting this bug too. ASA 5512-X version 9.7.1(4) and FMC 6.2.0 (build 362). Getting flurries of critical alerts almost every day, usually in the early hours of the morning.

View solution in original post

6 REPLIES 6
kossuth78
Beginner

Seen similar behavior of this bug on version 6.2.0.2 on a 5512x ASA running IOS version 9.7(1)8 with ASDM 7.8(1)150 running a virtual FMC.  

We are hitting this bug too. ASA 5512-X version 9.7.1(4) and FMC 6.2.0 (build 362). Getting flurries of critical alerts almost every day, usually in the early hours of the morning.

View solution in original post

ITWhiteRock
Beginner

Has anyone tried the workaround listed in the bug search?

Workaround:
Switched the event storage to SSD that fixed the issue.

Command to switch event storage to SSD from the restricted shell would be:

> configure log-events-to-ramdisk disable

I did so in my particular situation documented above and yes it cleared the issue up. 

This has fixed the issue for me as well.  However, as these logs are a bit transient until they get to the FMC, will this cause extra stress on the SSD?  I know excessive writing to an SSD can cause failures down the road.

Akira Muranaka
Rising star

Except ASA5512/5515, " configure log-events-to-ramdisk disable" should not be used because it will cause the wear and tears of SSD disk. In addition, "configure log-events-to-ramdisk disable" may not be supported on several platforms. ASA5512/5515 has small DRAM, so "configure log-events-to-ramdisk disable" becomes workaround, but as Mike said, it may cause SSD failures down the road.

 

Almost reason of "Disk Usage : Frequent drain of connection Events" is caused by tremendous connection logging configuration and sessions, or lack of eventing performance of using FTD/FMC. Therefore, either tuning logging configuration or reducing DoS traffic or upgrading FTD/FMC will be solution.

 

The below document is useful for understanding architecture and troubleshooting step of Frequent drain of Connection Event issue.
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216081-troubleshoot-drain-of-fmc-unprocessed-ev.html