I have some doubts about this error based in intrusion detection, because all the time the logs keep the same. My concern is related with message based in " Unable start sniffer ", however on the same time you can verify rules started.
So, why receiving error putting with unable start sniffer based specific rules and keep starting same rules based in updates?
I've never noticed that before but hopefully it is a normal part of the IDS process after it gets its rule updates or something. Here are some snippets from my logs as well. I'm at firmware 13.28 and Prevention/Balanced mode.
I am using the same version 13.28 and selected as Prevention/Security.
For me it's weird message, because maybe rules are not in place.
Seeing the same issue here... Version 13.33 - It´s almost like a "hickup" everytime it needs to start...
|Aug 19 17:50:59||Intrusion detection started||snort_rules_version: 18.104.22.168, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e|
|Aug 19 17:50:59||Intrusion detection error||what: unable to start sniffer, snort_rules_version: 22.214.171.124, source: ids-vrt-balanced more »|
|Aug 19 17:50:59||Intrusion detection rules update||snort_rules_version: 126.96.36.199, source: ids-vrt-balanced, rules: 828397756caef914fe42dc8bbb53da58b6815a2e|
Same issue here. I'm seeing it about every hour or so. I'm not sure we are protected and so I opened a support case. I'd urge y'all to do the same.
OK I just got this back from Meraki support:
Thank you for contacting Cisco Meraki Support!
The issue you're facing is known, and we have released a resolution for it on our newest beta firmware 14.31. We suggest upgrading your MX to 14.31.
If you want to upgrade firmware make sure to do it over maintenance window (MX will reboot) and if you want to roll back to the previous version you have always option to downgrade.
Please let me know if there is anything else I can assist you with."
Hello Kenny - Did you actually go to this beta code and if so, did the resolve the issue?
We have 20+ sites with MX64's with the same issue.
@Charlie In my case I keep using " AMP " as enable and looking the same error on the event log.
I verified those guys mentioned about version 14.31, however this version for my case is not available and have only 13.36 ( stable release ) and 14.36 ( latest beta ).
However I can verify release information about version 14.31, but keep without any information about fix issue. Weird!!!
I will do upgrade of only one box and verify environment.
I was about to open a case when I ran across this thread. I always attributed this to the fact that I disabled Advanced Malware Protection. We had many secure URLs that would be very slow to respond sometimes not at all. We turned that off and it resolved that issue. Beyond that I am curious to know if you guys have disabled AMP and if this is part and parcel to that error.
"Intrusion detection error what: unable to start sniffer"
I have same messages but my MX version is 15.11 and I have enabled Malware protection.
Well, who could know reason why those messages?.
I don't have more this log in my system and keep using " AMP ".
I am running inside 14.38 and keep stable without replicating the message.
I can't believe three years later, that this is STILL a problem. I am losing faith in Cisco products related to security. I have the same problem with false positives other Cisco products with AMP and their support is horrid for these features.