Symptom
After executing the "config log-events-to-ramdisk disable" command, snort goes into D state (Uninterruptible Sleep).
This may cause traffic interruption.
Log messages such as the below are seen in /ngfw/var/log/sf/policy_deployment.log:
Aug 19 19:10:11 TP-Branch-IPS-NEW policy_apply.pl[62580]: INFO Skipping Reassess memory for Snort Configuration as this is being executed during either upgrade or reboot... (Framework::SnortMemory 205<242<334<164 <- Snort::SnortMemory::Device 24 <- Plugin 235)
Aug 19 19:10:11 TP-Branch-IPS-NEW policy_apply.pl[62580]: INFO Purging snort validate marker file... (Framework::SnortMemory 206<242<334<164 <- Snort::SnortMemory::Device 24 <- Plugin 235)
Aug 19 19:10:11 TP-Branch-IPS-NEW policy_apply.pl[62580]: INFO Memory Calculated by test mode is: 313372672 (Framework::SnortMemory 256<334<164 <- Snort::SnortMemory::Device 24 <- Plugin 235)
Conditions
1. User executes command "configure logging-events-ramdisk disable"
2. Deployment config from fmc to ftd
Workaround
Re-deployment of access control policy with dummy changes
Further Problem Description
With the first deployment, the reassess of the snort memory stage is skipped which causes snort to go in D state.
To workaround the problem it is necessary to do another deployment with any dummy changes.
