Is anyone else having issues with v7.0.1 & Snort3 or Snort2 ?
I'm posting this here as Cisco seem unable or unwilling to fix this issue.
I upgraded 2 new HA Pairs of 2140's to v7.0.1 as the current Gold Star release with Snort3 enabled. 2 weeks into live use, Snort3 barfed & stopped processing traffic, this did NOT cause a failover, as the Snort process was still showing as running. manual failover restored traffic, but the failed unit had to be rebooted to restore it to a useable state. Two days later the second pair suffered the same fate.
After numerous TAC file dumps, core dumps & Tech Support file uploads & 2 recurrences of the issue on both pairs (4 fails) they finally identified a non public bug in the middle of January & had a duplicate for another customer. The advice was they would not be able to patch this until an April release So advised that upgrading to v7.1 would cure the issue.
FMC was upgraded & now many things in the FMC (Appliance 1600 HA pair) do not work properly, such as searching in a policy. Database for unified events shows wrong data if you expand a line. And a few other minor things.
FTD's were upgraded, 1st pair needed access to internet from management interface, as it re-registers during upgrade, didn't see that in the release notes! Cisco advice with v7.1 is to enable TLS Discovery (it practically forces it on you) After fixing the registration issue. I tried to enable Snort3, which immediately crashed all traffic through the FTD & caused a split brain when trying to fail back to Snort2, turns out one of the HA pair did NOT accept the switch back. Multiple reboots required to bring them to stable state. 2nd Pair did the same so be aware.
So now running v7.1, Snort2, TLS discovery disabled & many rules with Intrusion protection = None, plus SMB Detector disabled. Still have the same issues with Snort locking up, burning up 1 CPU till maxed out & 1550 Blocks exhaustion, causes traffic flow to stop. HA says all good & does NOT failover.
More dumps, multiple TAC engineers, no solution after weeks of waiting, with random firewall failures.
My advice do NOT upgrade to v7.x yet, its NOT fit for purpose.
If anyone has any magic insight into the inner working of Snort, let me know. The only course of action open to us at the moment is to failover to standby & reboot the other unit every 7 days ! Or Snort will force that on us when its feels like it.
Unlike inline IPS mode, you can't force traffic to flow on Snort failure, but as all the processes still show as running, even that might not keep things flowing if it was an option.
We have more 2140 HA pairs in another location on v6.6.x running 10 times the traffic load with same rule base without incident. So its definitely v7 related.
