Internet response times spike from average

mj11 · ‎03-28-2012

Hi All

I was hoping that someone maybe able to help with an issue I am seeing, periodically we see the Internet response time is around 2000+ ms from an average of 20 ms. Looking at the logs this is all I see.

27Mar2012 08:43:26.645 44831.515 cidwebserver[438] IdsEventStore/W errWarning - the subscription lost data [IdsEventStore::readSubscription()]

27Mar2012 09:07:29.190 1442.545 sensorApp[531] IdsEventStore/W errWarning - the event store wrapped around [IdsEventStore::writeEvent(), index = 58591]

27Mar2012 10:42:49.922 5720.732 -cidcli[1733] Cid/W errWarning Session was closed by the remote end.

27Mar2012 14:01:28.808 11918.886 sensorApp[531] sensorApp/W DBMemoryResourcesCritical 1 Hits 1 Total.

Messages, like this one, in the category - DBMemoryResourcesCritical - were logged 1 times in the last 0 seconds.

27Mar2012 14:50:12.383 2923.575 interface[426] Cid/W errWarning Inline data bypass has started due to global correlation update.

27Mar2012 14:50:16.383 4.000 sensorApp[501] sensorApp/W Arena Excess growth of 2124964 detected at exit of CT getVirtualSensorStatistics.

27Mar2012 14:50:16.407 0.024 interface[426] Cid/W errWarning Inline data bypass has stopped.

27Mar2012 15:02:00.880 704.473 cidwebserver[433] tls/W errTransport WebSession::sessionTask TLS connection exception: handshake incomplete.

Messages, like this one, in the category - TLS connection failure - were logged 1 times in the last 867529 seconds.

27Mar2012 15:02:00.888 0.008 cidwebserver[12106] tls/W errWarning received fatal alert: certificate_unknown

Messages, like this one, in the category - receipt of TLS fatal alert message - were logged 1 times in the last 0 seconds.

27Mar2012 15:02:04.753 3.865 cidwebserver[432] tls/W errTransport while sending a TLS warning alert close_notify, the following error occurred: socket error [3,104]

Messages, like this one, in the category - TLS socket failure - were logged 1 times in the last 0 seconds.

27Mar2012 15:02:56.450 51.697 interface[426] Cid/W errWarning Inline data bypass has started due to global correlation update.

27Mar2012 15:02:56.883 0.433 interface[426] Cid/W errWarning Inline data bypass has stopped.

Does anyone have any ideas of the issue, the sensor verion 7.0(7)E4.

Regards MJ

sawgupta · ‎03-28-2012

Hi,

Though the messages look normal, sensor is using high amount of memory.

Is there a particular signature which is firing a lot ? Do you have latest signature set ?

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

mj11 · ‎03-28-2012

Hi Sawan

Thanks for the update, do you know whats the best way to see if a particular signature is firing a lot.

Regards MJ

sawgupta · ‎03-28-2012

Yes.

Use the following CLI:

sh statistics virtual-sensor | be SigEvent count

You should get the output as following example:

Per-Signature SigEvent count since reset

Sig XXXX.Y = n

Sig ABCD.E = m

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

mj11 · ‎03-29-2012

Hi

I have attached the outputs, if you are able to help this would be much appreciated.

Regards MJ

sawgupta · ‎03-29-2012

How much is the exact Memory Usage and Processing load on sensor ?

Use CLI "show statistics virtual-sensor"

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

mj11 · ‎04-10-2012

Hi Sawan

Sorry have been delayed in my response.... Hopefully you will still have time to assist...

Regards MJ

sawgupta · ‎04-10-2012

The processing load and other stats look normal. You may want to open case with Cisco TAC.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta