09-20-2018 03:13 AM - edited 03-12-2019 06:58 AM
Hi everybody,
I was watching yesterday the presentation of BRKSEC-3300 from Cisco Live 2018 - Orlando, and I liked what I've heard about Automatic Application Bypass (AAB).
So, I've read the section "Configuring Automatic Application Bypass" (Link) from the FMC configuration guide 6.2.3 and decided to activate the option on several ASA5585 (models SSP20 and SSP60), using the default threshold of 3000ms.
Today I've seen few Health Events with description "The Primary Detection Engine process terminated unexpectedly 1 time(s).", so I've turn back to the documentation to find out how I can find out more details about the cause of Snort restart. I'm almost sure that this is the AAB working, as there was no deployment or other operation that would trigger a snort restart.
The documentation states "When a malfunction within Snort or a device misconfiguration causes traffic processing time to exceed a specified threshold, AAB causes Snort to restart within ten minutes of the failure, and generates troubleshoot data that can be analyzed to investigate the cause of the excessive processing time."
Now, my question to you is: where is the troubleshoot data, how can I read it, interpret it, etc.? The documentation missed this point unfortunately (or I don't know how to use search)..
Thank you very much, I hope someone can give me a hint and bring some light into this part of the AAB feature : analyzing/investigating the cause of the Snort process restart triggered by AAB.
09-21-2018 04:25 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide