Solved: FTD 6.2.3 - preserve-connection query

plwalsh · ‎08-27-2018

Hi,

I'm running FTD 6.2.3.3 (Build 76) and the 'show conn count' output now includes figures for the 'snort preserve-connection' feature which is enabled by default in 6.2.3. My output shows a figure of over 28M for enabled, and a similar figure for max-enabled. I've 100K connections through the device.

show conn cou
105257 in use, 135542 most used
Inspect Snort:
preserve-connection: 28096416 enabled, 251 in effect, 28096428 most enabled, 9306 most in effect

The enabled figure contsantly rises e.g. last week it was 19M and the max-enabled was about 19M also. Can anyone tell me if that enabled figure is correct or is there a potential bug?

Regards,

Piaras Walsh

Mohammed al Baqari · ‎08-27-2018

I don't think its a bug. It keeps ramping up indicating the total number of
preserved connections since last reboot. The in effect indicate the
concurrent ones.

It should be same or close to most enabled one. However, they can different
if some connections were dropped during snort restart

View solution in original post

Mohammed al Baqari · ‎08-27-2018

I don't think its a bug. It keeps ramping up indicating the total number of
preserved connections since last reboot. The in effect indicate the
concurrent ones.

It should be same or close to most enabled one. However, they can different
if some connections were dropped during snort restart

fatalXerror · ‎11-05-2018

@Mohammed al Baqari, just want to ask because i have an issue regarding constant SNORT CPU high utilization and the TAC said it is somehow related to this snort preserved-connection. Do you have any experiences before that when I have a lot of preserved-connections the CPU will go high? thanks

Abheesh Kumar · ‎11-05-2018

Hi, Check with TAC may be you are hitting with below bug, this is not visible to customer.

CSCvj83264

HTH

ABHEESH