"IDPS Engine Dropped Traffic Network Oversubscribed" alarm is raised even when the Oversubscription set to Bypass
search cancel

"IDPS Engine Dropped Traffic Network Oversubscribed" alarm is raised even when the Oversubscription set to Bypass

book

Article ID: 399148

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

-  "IDPS Engine Dropped Traffic Network Oversubscribed" alarm is raised even when the Oversubscription is set to Bypass
-   Engine Dropped Traffic and Bypassed Traffic Network Oversubscribed alarms may be generated at the same time

Environment

VMware vDefend Firewall with IDPS (Intrusion Detection and Prevention Service) configuration

Cause

When both IDPS and Layer-7 (L7) rules are configured, during the dvFilter (Network) channel (common datapath for both these services) oversubscription, "IDPS Engine Dropped Traffic Network Oversubscribed" alarm may be raised even for VDPI/L7 traffic.

The following command can be run to determine whether this is a false alarm. (Please note that this is a cumulative counter. So the user may need to get at least 2 iterations of Output and compare when there is a mismatch between dvf_ids_in and dvf_ids_out)

[root@ESXi:] /bin/vsipioctl getdpiinfo -s

<SNIP>

=== dvfilteruser stats ===

dvf_bitmap_set: 0

dvf_libdvfuser_in: 13373722020

dvf_libdvfuser_out: 13373733078

dvf_vdpi_in: 101474492

dvf_vdpi_out: 76351552

dvf_ids_in: 13344740516        <<< IDS IN & IDS OUT counters are the same. This indicates IDPS did NOT drop the packet

dvf_ids_out: 13344740516       <<<

<SNIP>

Resolution

This alarm can be safely ignored.

This issue is fixed in NSX 4.2.2

Powered by Wolken Software