Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Tuning the Auto-Recovery Feature

    Problem

    The auto-recovery feature detects failure of an IDP engine and buffers packets while it attempts to restart the IDP engine. The auto-recovery process reloads the device configuration, including the security policy. The larger the security policy, the longer it takes to complete the auto-recovery process. By default, packet processing resumes only after the security policy has been reloaded. If your deployment requires faster resumption of traffic flow, you can change this setting so that the IDP engine begins processing traffic before the security policy has been loaded. However, the packets that are processed before the security policy has been loaded are uninspected.

    Solution

    To set packet processing to resume before the security policy has been loaded:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Open the /usr/idp/device/bin/user_funcs file in a text editor, such as vi.
    3. Locate the following line:
      export pktprocess_afterpolicyload=1
    4. Change the value to 0 so that packet processing resumes before the security policy has been loaded.
    5. Save the file and exit the editor.
    6. Restart the IDP engine:

      [root@defaulthost admin]# idp.sh restart

      Restarting the IDP engine can take several moments.


    Published: 2011-02-08