Symptom
The Snort instance drop counters increase when the snort fail-open busy/down feature is enabled.
It is expected to see the snort instance busy/down asp drop counters increasing as this is how the snort fail-open feature has been designed, but this doesn't mean the traffic is getting dropped.
If snort goes busy/down, the connections will be bypassed and continue to bypass until terminated. If this feature is not enabled, the connections will be dropped.
On the other hand, The new sessions during this time are expected to increase the snort down counter, and even after snort recovers, the packets belonging to these sessions will cause the snort down counter to increase; this is expected.
Conditions
- Snort fail-open busy/down feature enabled.
- Inline-pair
