FTD 3110 MULTI-INSTANCE SNORT

alexispino · ‎12-27-2024

I have an architecture with two 3110 chassis, each with 3 instances. These instances are in active/standby HA, and when I have all three instances on the same chassis, the memory of Snort 3 increases, and we start having issues with the applications. The sizing of the instances individually looks fine. Does anyone have any suggestions or experience with what might be happening?

ccieexpert · ‎12-27-2024

what version you are running and can you provide more details ?

what is the memory usage over time from the time you start the box and over time ?

does this happen right away or over time ?

Typically there is more contention for CPU than memory. But you may be run into defects like a memory leak.

what are you traffic rates through each box ?

are you offloading some trusted traffic using pre-filter without using IPS/SNORT, that may alleviate the load on snort.

But, memory issues etc need multiple iterations of troubleshooting and diagnostic commands, and if you have support, i would contact cisco TAC to take a look.

alexispino · ‎12-29-2024

version 7.4.2

It happens over time

ccieexpert · ‎12-29-2024

If it happens over time, most likely a leak (bug) that is increasing over time. Packets etc are transient and only hold memory during the transmission and should be released. 7.4.2 is the latest, so you may have to open a TAC CASE to troubleshoot this further.

MHM Cisco World · ‎12-28-2024

What Idea of using three instances ?

MHM

alexispino · ‎12-29-2024

we are separating in the instances, edge, dmz, users

MHM Cisco World · ‎12-29-2024

why I ask?

You need to management resource it not need for traffic pass from internal to DMZ then via VPN to pasd two deep inspect' one in internal and other in DMZ' same sa traffic pass from internal to internet it not need to deep inspect by edge and internal.

MHM