I was watching yesterday the presentation of BRKSEC-3300 from Cisco Live 2018 - Orlando, and I liked what I've heard about Automatic Application Bypass (AAB).
So, I've read the section "Configuring Automatic Application Bypass" (Link) from the FMC configuration guide 6.2.3 and decided to activate the option on several ASA5585 (models SSP20 and SSP60), using the default threshold of 3000ms.
Today I've seen few Health Events with description "The Primary Detection Engine process terminated unexpectedly 1 time(s).", so I've turn back to the documentation to find out how I can find out more details about the cause of Snort restart. I'm almost sure that this is the AAB working, as there was no deployment or other operation that would trigger a snort restart.
The documentation states "When a malfunction within Snort or a device misconfiguration causes traffic processing time to exceed a specified threshold, AAB causes Snort to restart within ten minutes of the failure, and generates troubleshoot data that can be analyzed to investigate the cause of the excessive processing time."
Now, my question to you is: where is the troubleshoot data, how can I read it, interpret it, etc.? The documentation missed this point unfortunately (or I don't know how to use search)..
Thank you very much, I hope someone can give me a hint and bring some light into this part of the AAB feature : analyzing/investigating the cause of the Snort process restart triggered by AAB.
If you are experiencing snort restarts I would suggest to contact Cisco TAC. They will ask you to take out the logs needed to TS the issue. If you want to analyze problems in firepower core then it will take some time, in my experience the logs are saved and logged in different places depending on software release and in you are running FTD or not. I think the meaning of "can be analyzed" is that Cisco can analyze this. If you like to see what is going on under the hood, i think the best place to start is to learn use pigtail in expert mode.