cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
788
Views
0
Helpful
2
Replies

IDSM-2 inspection load high

We have an IDSM-2 installed in our core switch and we are facing problem now, The module is hanging randomly and we can not login through session or GUI at that time. The version running is 7.0(4) E4 and we need to restart the module to recover the same. After the reload we have found that the Inspection load is touching 100 % continuosly , It is working in promiscous mode and only two vlans (server vlans behing FWSM) are monitoring. One of the Vlan is having more number of  servers when I removed the same Vlan  from the capture the inspection load comes back to normal ... Did some one face this problem before ? Is it really a through put issue ?? How can I confirm that ? Or is it due to any bug?

2 REPLIES 2
Cisco Employee

IDSM-2 inspection load high

Check the 'show interface' command output (on the sensor itself), specifically the Total Receive Errors, Total Receive FIFO Overruns,  and Missed Packet Percentage counters for its sensing interfaces. If those counters are non-zero (0) values and/or incrementing _and_ the Inspection Load (aka "Processing Load Percentage") metric is high, then the sensor is oversubscribed.

The IDSM-2 sensor module's absolute maximum inspection throughput rate (in Promiscuous Mode) is 600 Mbps total (combined for both sensing interfaces). If the two VLANs you are monitoring are populated mostly with GigabitEthernet-connected servers, then there is an elevated potential for sensor oversubscription. You may need to monitor traffic entering/leaving the VLAN(s) instead of attempting to monitor all traffic in both VLANs, etc.

Highlighted

IDSM-2 inspection load high

Hello Dustin,

Thanks for the reply, I have checked the interface status aqd found that FIFO overuns in the sensing interface 0/7 but it is not increasing. Also found that inspection load normal at this point of time, I think when it reaches 100 % it will increase the FIFO counters. Below are the interface status..

IDSM2_Secondary# sh interfaces | in Missed

   Missed Packet Percentage = 0

   Missed Packet Percentage = 0

   Missed Packet Percentage = 0

IDSM2_Secondary# sh interfaces | in Errors

   Total Receive Errors = 0

   Total Transmit Errors = 0

   Total Receive Errors = 1

   Total Transmit Errors = 0

   Total Receive Errors = 0

   Total Transmit Errors = 0

IDSM2_Secondary# sh interfaces | in FIFO

   Total Receive FIFO Overruns = 0

   Total Transmit FIFO Overruns = 0

   Total Receive FIFO Overruns = 11828560

   Total Transmit FIFO Overruns = 0

   Total Receive FIFO Overruns = 3

   Total Transmit FIFO Overruns = 0

IDSM2_Secondary# sh interfaces | in FIFO

   Total Receive FIFO Overruns = 0

   Total Transmit FIFO Overruns = 0

   Total Receive FIFO Overruns = 11828560

   Total Transmit FIFO Overruns = 0

   Total Receive FIFO Overruns = 3

   Total Transmit FIFO Overruns = 0