Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
- Health alert for Frequest Drain of Connection Events is consistent and never goes away.
ASA 5512 or 5515 running Firepower Services Connection event RAMDISK storage enabled.
This issue would be usually happen due to below reasons; - High volume connection events - Lack of bandwidth between FMC and FTD devices for exchanging the event data - Temporary loss of communication between FMC and FTD If there are unexpected high volume connections continuously (e.g. DoS attack), need to eliminate or block the cause of high volume connection source for reducing connection logging. If the bandwidth between FMC and FTD devices is not good (for example, using WAN for connecting FTD devices), increase the bandwidth for communicating events data smoothly between FMC and FTD devices. To reduce connection Logging and snort load, please check the below; - Make sure that Access Control Rules with "Allow" and "Trust" as the action only have logging enabled for the beginning OR end of connection, rather than beginning AND end. - Logging both will cause unnecessary duplicate events and cause more overhead as snort will need to write and offload more event data. - Note that logging at the end of the connection will contain more data than logging at the beginning. Logging the beginning of an allowed or trusted connection is typically only used for troubleshooting purposes If high volume connection events are expected, please check flow per second (fps) of using FMC on FMC datasheet. If performance is lack, logging tuning may be need for reducing connection processing load on FMC and FTD for your system. If using ASA5512 or 5515 which are low memory model, switched the event storage from RAM (default) to SSD would fix the issue. However, using RAM (default) is recommended because it reduces the wear and tears of SSD disk. However, if reducing connection events is difficult on this low memory model, the below command to switch event storage to SSD from the restricted shell is available: > configure log-events-to-ramdisk disable
None.
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco''s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html