Sourcefire IDS/IPS VAP under heavy load causes traffic disruption or performance issues

book

Article ID: 167805

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Sourcefire IDS/IPS VAP under heavy load causes traffic disruption or performance issues
  • Customer diverted additional traffic towards their IDS in a TAP configuration (external tap or shared promiscuous-mode circuit) and experienced high CPU utilization alarms on IDS/IPS blades coupled with traffic failure or latency issue.
  • Messages similar to the following may appear in the logs around the time(s) the slowness or disruption is reported:

Dec 31 21:57:52 npm1 kernel: CBS_HB: [Fab-1] Missing heartbeats TO slots =0080 

Dec 31 21:57:52 npm1 kernel: xbprc: sdp-6 (slot-8) Bouncing link due to loss of heartbeats ipstat= 0481 opstat= 7811. 

ids_1 cbsvapcfgd[2902]: [W] No SDP path to NPM1 

Cause

  • Under heavy load , an APM sends flow control throttling messages to the NPM. This might cause traffic interruptions or latency issues in the IDS/IPS configurations.
  • An IDS that is highly utilized can cause backpressure control messages to be generated from the APM towards the NPM, thereby affecting inline traffic on a shared circuit.

Resolution

Pre 9.7, contact technical support to obtain a pmmon script for the APM(s)

Post 9.7, configure the "passive" mode at the vap-group context

Workaround

Schedule a failover and reload the affected APMs(s).