Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
164
Views
0
Helpful
0
Replies

Snortv3 stream preprocessor drops and session tracking

Kevin Marcan
Level 4
Level 4

‎08-26-2025 09:16 AM

Hi Community!

               I stumbled across a weird one I am still diagnosing with TAC, still TBD if we are hitting a bug, but during my research on this I stumbled across a interesting topic.  

LINA and SNORT both manage there own session tracking / connection table.  IE show conn only shows the LINA table, not the SNORT table. 

More importantly, they each run there own timers.
LINA Default TCP Idle timeout: 1 Hour
Snort Default TCP Idle timeout: 3 minutes

While Snortv3 is meant to handle mid stream sessions, I have been able to mitigate some issues by aligning these two timers (increasing snort3 to one hour)

This is probably more of a Dev/BU level question, but if Cisco Firewall has two separate session tracking tables, would it not make sense to have the default values match so the tables are in sync with each other?   Vs right now you will have Snort3 sessions time out, while still being active in LINA, then snort needs to stand up mid stream sessions. And in our case occasionally drop packets / cause disruption. 

These issues could all stem back to a bug that we are still investigating, but I am still curious about the two state tables and not aligning the timers by default. 

 

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card