Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15126
Views
10
Helpful
6
Replies

Frequent drain of Connection Event - CSCuz86604

Go to solution
kyleharris
Level 1
Level 1

‎04-28-2017 06:22 AM - edited ‎03-20-2019 09:20 PM

This bug is also manifesting itself on SF IPS on SSD version 6.2.x

17 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ITWhiteRock
Level 1
Level 1
In response to kossuth78

‎08-04-2017 08:40 AM

We are hitting this bug too. ASA 5512-X version 9.7.1(4) and FMC 6.2.0 (build 362). Getting flurries of critical alerts almost every day, usually in the early hours of the morning.

View solution in original post

6 Replies 6

Go to solution
kossuth78
Level 1
Level 1

‎07-11-2017 06:50 AM

Seen similar behavior of this bug on version 6.2.0.2 on a 5512x ASA running IOS version 9.7(1)8 with ASDM 7.8(1)150 running a virtual FMC.  

0 Helpful

Go to solution
ITWhiteRock
Level 1
Level 1
In response to kossuth78

‎08-04-2017 08:40 AM

We are hitting this bug too. ASA 5512-X version 9.7.1(4) and FMC 6.2.0 (build 362). Getting flurries of critical alerts almost every day, usually in the early hours of the morning.

Go to solution
ITWhiteRock
Level 1
Level 1

‎08-04-2017 08:42 AM

Has anyone tried the workaround listed in the bug search?

Workaround:
Switched the event storage to SSD that fixed the issue.

Command to switch event storage to SSD from the restricted shell would be:

> configure log-events-to-ramdisk disable

0 Helpful

Go to solution
kossuth78
Level 1
Level 1
In response to ITWhiteRock

‎09-21-2017 05:11 PM

I did so in my particular situation documented above and yes it cleared the issue up. 

0 Helpful

Go to solution
Mike Wagner
Level 1
Level 1
In response to ITWhiteRock

‎10-27-2017 06:38 AM

This has fixed the issue for me as well.  However, as these logs are a bit transient until they get to the FMC, will this cause extra stress on the SSD?  I know excessive writing to an SSD can cause failures down the road.

0 Helpful

Go to solution
Akira Muranaka
Level 8
Level 8

‎11-01-2020 07:20 PM - edited ‎11-01-2020 07:21 PM

Except ASA5512/5515, " configure log-events-to-ramdisk disable" should not be used because it will cause the wear and tears of SSD disk. In addition, "configure log-events-to-ramdisk disable" may not be supported on several platforms. ASA5512/5515 has small DRAM, so "configure log-events-to-ramdisk disable" becomes workaround, but as Mike said, it may cause SSD failures down the road.

 

Almost reason of "Disk Usage : Frequent drain of connection Events" is caused by tremendous connection logging configuration and sessions, or lack of eventing performance of using FTD/FMC. Therefore, either tuning logging configuration or reducing DoS traffic or upgrading FTD/FMC will be solution.

 

The below document is useful for understanding architecture and troubleshooting step of Frequent drain of Connection Event issue.
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216081-troubleshoot-drain-of-fmc-unprocessed-ev.html

 

0 Helpful
Customers Also Viewed These Support Documents