Firewall dropping over 1 million events per day

Tatah
Here to help

Firewall dropping over 1 million events per day

Hello Guys. I have the MX100 security appliance and it is dropping about 1 million events per day. The events dropped are not logged. When i hover my mouse over the details it says 'an event dropped" entry means that there was a burst of events in a short period of time and some events are not recorded because of the memory and bandwidth constraints on the security appliance. My questions are.

-What is a long term solution to this event drop issue?

-If i upgrade to MX250 or MX450, will this solve the issue?

 

Thank you

 

6 Replies 6
jdsilva
Kind of a big deal

The event log in the dashboard is prone to this problem regardless of the model or device type. You're bets option IMO is to set up your own Syslog server on site and have the MX send logs to that device. 

Tatah
Here to help

Thank you. This is very helpful

BrandonS
Kind of a big deal

1 million events per day seems excessive..  Have you contacted support to see what they think?

 

What are your average number of clients over 30 days?  It seem like a configuration problem or maybe a DOS attack of some sort.  

 

Are there noticeable performance issues around this?

 

 

- Ex community all-star (⌐⊙_⊙)
BrandonS
Kind of a big deal

Agree with jdsilva about syslog.  This should let you see what is going on at make some better decisions.  In case you are not familiar with syslog I can suggest papertrailapp.com for a cloud based syslog server that is easy to setup.

 

 

- Ex community all-star (⌐⊙_⊙)
Tatah
Here to help

Many thanks. papertrailapp.com  is very helpful

DillonofAnch17
Getting noticed

@Tatah My immediate suggestion would be papertrail cloud. However, you should do some research as to your initial setup. For instance, I send each of my networks to a different syslog server inside of papertrail. In my experience this has worked way more efficiently as it separates all the data for each instead of having to search one server for all networks. 

 

If you have any questions on setting up syslog this will be your go-to step by step guide from Papertrail. Screenshot 2019-08-21 12.09.05.jpg

 

- When it comes to upgrading just for the dropped events. My opinion is to hold off until you do your Root Cause analysis. There may be a symptom inside of the MX causing all the events to crash or it could be firmware related. Recently one of my MX's had a simmilar issue of events dropped (in the thousands not millions). The root cause for me ended up being the cell card looking for a connection. Once I removed that it was good to go no more errors. 

 

Good luck and hopefully this helps

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels