Technical Documentation
Tuning the Auto-Recovery Policy Reload Setting
Problem
The auto-recovery feature detects failure of an IDP engine and buffers packets while it attempts to restart the IDP engine. The auto-recovery process reloads the device configuration, including the security policy. The larger the security policy, the longer it takes to complete the auto-recovery process. By default, packet processing resumes only after the security policy has been reloaded. If your deployment requires faster resumption of traffic flow, you can change this setting so that the IDP engine begins processing traffic before the security policy has been loaded. However, the packets that are processed before the security policy has been loaded are uninspected.
Solution
To set packet processing to resume before the security policy has been loaded:
- Log into the CLI as admin and enter su - to switch to root.
- Open the
/usr/idp/device/bin/user_funcsfile in a text editor, such as vi. - Locate the following line:
export pktprocess_afterpolicyload=1
- Change the value to 0 so that packet processing resumes before the security policy has been loaded.
- Save the file and exit the editor.
- Restart the IDP engine:
[root@defaulthost admin]# idp.sh restartRestarting the IDP engine can take several moments.
