Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
3
Replies

SNORT3 Breaks Large File Downloads

ida71
Level 1
Level 1

‎11-28-2023 02:43 AM

A web based product allows users to create a large ZIP file & when its ready it mails them a link to retrieve it. Works great under Snort2. But I recently upgraded a set of FTD's to v7.2.5 + HotFix & Snort3, as per Cisco's current GoldStar version & recommendation that Snort2 will be retired soon.  Everything worked great in our post upgrade testing. But a couple of days later a customer complained that their large downloads kept failing. We were able to replicate this consistently, but it did not appear to be a fix file size problem, as some 400Mb files would fail & some 1Gb+ files would get near completion before failing. Nothing appeared blocked in event logs & no Snort warnings. After various attempts to diagnose this, I reverted Snort to v2 & everything worked as expected.

Any ideas ?  Unfortunately that was the only location with Snort3 so I'm currently unable to replicate the error. We did try some straight forward up/downloads direct to a server & they worked fine. So I suspect its something the web based application is doing that makes Snort cut it off, but I'm not seeing any log events for it.

Thanks for any input on this.

 

0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎11-28-2023 03:52 AM - edited ‎11-28-2023 03:53 AM

Did you look in the connection event logs?  I have seen in many instances where traffic being marked as elephant flow is dropped.  However, you will not see it marked as an Elephant flow unless you have enabled Elephant flow detection.  You can edit the ACP and go to the Advanced tab and enable Elephant flow detection, and if you have any FTD other than FTD2100 (Elephant flow remediation is not supported on FTD2100) you can also enable remediation where the traffic that is detected as Elephant flow will bypass SNORT if certain criteria are met. 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

ida71
Level 1
Level 1

‎11-28-2023 03:57 AM

Thanks Marius,  I'll have a look at those suggestions. Connection events did not show anything dropped & nothing in syslog either. I'll arrange some testing OoO to see if I can see the issue.

 

0 Helpful

ida71
Level 1
Level 1

‎11-28-2023 04:09 AM - edited ‎11-28-2023 06:43 AM

So a quick review of the ACP shows Elephant Flow detection is enabled, but no log events matching that criteria. That said the page says it does NOT apply to Encrypted traffic. See your h t t p s ://"Your FMC" help_files/index.html#!t_configuring-elephant-flow.html

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card