Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
1
Helpful
1
Replies

FTD1150 with no traffic, Snort is using 95% CPU

johnvojtech
Level 1
Level 1

‎03-30-2023 05:50 AM

I am testing new FTD1150's.  There are no connections or traffic flowing through.  But Snort is causing lots of high CPU usage alerts in FMC.

 

TAC is saying to revert to Snort 2 and not use 3.  This cannot be a real solution, can it?

1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎04-14-2023 03:47 PM

Reverting to Snort 2 from Snort 3 is not an ideal solution, especially since Snort 3 is designed to provide better performance and functionality. However, it might be a temporary workaround until the root cause of the high CPU usage is identified and resolved.

Before considering this workaround, I would suggest you try the following steps to diagnose and troubleshoot the issue:

1. Verify the FTD1150's software version: Ensure that you are running the latest recommended version of Firepower Threat Defense (FTD) software, as there might be bug fixes or performance improvements in the newer versions.

2. Check Snort configuration: Review the Snort configuration on your FTD1150's, specifically the inspection rules and policies. Ensure that you have not enabled unnecessary or overly aggressive rules that could be causing high CPU utilization.

3. Monitor CPU usage: Use the Firepower Management Center (FMC) or the FTD Command Line Interface (CLI) to monitor the CPU usage over time. Identify any patterns or specific times when the CPU usage spikes, which could give you clues about the cause of the issue.

4. Analyze Snort logs: Review the Snort logs for any error messages or warnings that could indicate the reason for the high CPU usage. You can access the Snort logs from the FMC or the FTD CLI.

5. Perform a packet capture: If the high CPU usage is related to specific traffic patterns, you can perform a packet capture on the FTD1150's to identify the traffic causing the issue. This can help you fine-tune your Snort rules and policies to reduce CPU usage.

6. Open a TAC case: If you are still unable to resolve the issue after trying the above steps, I recommend opening a case with Cisco TAC. Provide them with all the relevant information, including the FTD and FMC software versions, Snort configuration, logs, and any other observations you have made. The TAC engineers will be able to assist you in identifying and resolving the issue.

Remember, reverting to Snort 2 should only be considered as a temporary workaround, and it is essential to identify and resolve the root cause of the high CPU usage to ensure optimal performance and security of your FTD1150's.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card