Steps for reviewing data on the queue if you are using IDS

If you are using IDS, review the data on the queue.

1. If TCP QUEUE Size attack detection is enabled with console logging, look for console message groups that begin with message EZZ8761I and that indicate a TCP QUEUE Constrained event.

   • If these message groups have not been issued, then data accumulated on TCP queues is not contributing to the storage problem and you can proceed to Step 3 in Steps for reviewing a storage problem.

   • If these message groups have been issued, then go to Step 2.

2. Depending on your configuration, take the following actions to determine whether data is accumulated on the queue:

   If . . .	Then . . .	And take the following actions...
   TRMD or syslog are not active, or TCP QUEUE Size attack detection is not configured to log to syslogd	Issue the Netstat ALL/-A command to determine whether a lot of application data has accumulated on the queues for TCP connections.	If no data, or an insignificant amount of data, has accumulated on the queue, go to Step 3 in Steps for reviewing a storage problem. If data has accumulated on the queue, then resolve the problem that is causing the data to not be processed, or reset those connections to release the storage.
   TRMD and syslog are active, and TCP QUEUE Size attack detection is configured to log to syslogd	Look in the syslogd output for messages EZZ8621I, EZZ86641I, or EZZ8666I. These messages indicate that excessive or old data is accumulating on the receive, send, or out-of-order queue for a TCP connection.	If these messages do not appear in syslogd, go to Step 3 in Steps for reviewing a storage problem If one or more of these messages do appear in syslogd, determine whether there is a corresponding message (EZZ863I, EZZ8665I, or EZZ8667I) that indicates that the accumulated data has been processed. If no corresponding message appears, resolve the problem that is causing the data to not be processed, or reset those connections to release the storage.