Lots of false alarms for "Server Reachability has switched to false..."
We ran into this issue testing on 2 server but we're now being flooded by alerts for Windows, Linux, and Solaris systems that say
Server Reachability has switched to false on ServerName
I have confirmed that every one of the servers is up and reachable (ping, traceroute from both proxy servers)
One of those unreachable servers is the mail relay that the alert was relayed through!
I need to know when servers drop off-line but if I can't rely on the test what good is it?
Any suggestions?
Try to update a credentail on asset.
Similar Messages
-
Server Reachability has switched to false
I have a windows server that generate an event titled "Server Reachability has switched to false" (Error ID 848) at random times at least once per day. Its followed approximately 5 minutes later with an informational message "Powered On has switched to false". The server in question is up and functioning.
I've searched the documentation looking for information on this alert and have yet to find any.
Have one of you run across this issue? What did you do to fix it?
Thanks for your hlep!
Vince Van De CoeveringTry to update a credentail on asset.
-
Persistent, chronic, false alarms for the past eight months
We now have two installations that utilize a unified wireless (WLC or WiSM - AIR-LAP1131AG, AIR-LAP1231G, AIR-LAP1242AG access points) that have been exhibiting the following IDS false alarms:
Disassoc Flood
AP Impersonation
We have TAC cases going back to October 2006 to address them and have upgraded to the latest/greatest version 4.0.206.0 in hopes of getting this solved.
Version 4.0.206.0 was supposed to have fixed these problems, and it did reduce some of the other false alarms (not listed). However, the two mentioned above persist.
Is anyone else out there experiencing this?
- JohnThank you for confirming this behavior.
In answer to your question, upgrading to 4.0.206.0 did get rid of the "Generic Netstumbler" IDS alarm that turned out to be another false positive.
As it turns out, there have been comments from Cisco that now indicate that .206 has stability issues (nice to know that now). However, we have not experienced any of these issues at the two installations where this version is operating.
I also wanted to point out that we went ahead and opened TAC cases for each error at each customer site.
Currently, most of them have reached a status of "Release Pending". (Now as to *WHICH* release....)
If you have not opened a TAC case for these issues, taking the time to do so will help Cisco be aware of the extent to which this problem exists in the field and, hopefully, will help them prioritize the fix to this problem.
John -
False alarming for Archive mode status
Hi Friends,
In one of our development system(DB node) we are getting alerts as 'the Archive mode is in OFF state', but when i checked in DB level I can able to see the state as ON. Don't know what the problem is? Can anyone help me to resolve this issue?
Regards,
PalaniappanHi Palaniappan,
Please check the output of below command
SQL> SELECT LOG_MODE FROM V$DATABASE;
=> Output should be "NOARCHIVELOG"
SQL> ARCHIVE LOG LIST
=> output should have "DISABLED" under Automatic archival.
Regards,
Deepak Kori -
WCS IDS False Alarms - NetStumbler Generic Attack
We have a particular installation where we are seeing four (4) types of IDS errors constantly reappearing:
"IDS Signature attack detected. Signature Type: Standard"
"Disassoc flood, Description: Disassociation flood
"AP impersonation"
"NetStumbler Generic Attack"
In the first three alarms, Cisco has acknowledged that there are known issues with false IDS alarms that are supposed to be fixed in an upcoming "BE-MR2" in mid-December, and a new IDS signature in January.
Is anyone else experiencing the NetStumbler Generic IDS alarm? We see them on a regular basis.
If so, please reply - as I would like to forward this on to TAC to make sure they get this fixed in the next release.
We are using WLC-4.x and WCS 4.x with LAP-1131AG access points.
- JohnThe Disassociation attack is a known bug acknowledged by Cisco TAC. (That is not a guarantee that it is a false alarm - that is what has been especially frustrating in troubleshooting these).
Specifically, though, I am trying to confirm that others are experiencing the NetStumbler attack as we suspect this is another false alarm since it came from the MAC address of a trusted laptop that was confirmed to not be running NetStumbler - and, yes, I realize that the MAC address can be spoofed, but with the high number of false positives on the other types of alarms mentioned earlier, it would seem more likely that the WLC's IDS subsystem needs tweaking.
I would really like to get this fixed within the next release, and am hoping that additional confirmation may help get Cisco to resolve it more quickly.
- John -
RTMT sending false Alarms?
Hello,
We have randomly receiving following alerts on RTMT
MGCP DChannel is out-of-service
Number of registered gateways decreased in consecutive polls.
Number of registered gateways increased between consecutive polls.
We have,
CUCM: 9.1.2.11008-1
Voice Router: 15.1(2) T1
I log into the router and the controllers/ports show no errors on that PRI.
I checked isdn service, status and logs but still no sign of down.
Also we can see active calls on that PRI from RTMT.
Is RTMT sending false Alarms?RTMT is probably not sending false alarms. What level do you have your logging set to?
-
For server the Node Manager associated with machine is not reachable
Hello all,
I am getting this error, when i start my Managed Server which is in shutdown state
For server SAA-Dev-1, the Node Manager associated with machine vm-bea-dev is not reachable.
All of the servers selected are currently in a state which is incompatible with this operation or are not associated with a running Node Manager. No action will be performed.
The configuration details are
i am using weblogic 9.2 MP3 version in windows 2k3 server.
It has a machine vm-bea-dev, a cluster cluster-saa-dev, to which both the managed servers saa-dev-1 and saa-dev-2 are assigned. There are 3 applications deployed onto managed Server 1 and 1 for managed Server 2.
Managed Server 1 is in shutdown state, and when i start the server, it gives the error specified below
For server SAA-Dev-1, the Node Manager associated with machine vm-bea-dev is not reachable.
All of the servers selected are currently in a state which is incompatible with this operation or are not associated with a running Node Manager. No action will be performed.
The same for Managed Server 2 too, and this server is in Admin State, i dont know how it went into that state.
Can somebody please help me reslove it.
Thanks in advanceActually the cert is coming from your Dev machine but it is sending the Prod cert.
What cert is used by your admin server ? It should match the host name.
So your Dev machine is apparently using a copy of the prod cert / keystore rather than using its own DEV cert. It's not clear from your post whether this is the nodemanager using the wrong cert, or the managed server. So both should be checked.
The managed servers need to be using a cert that matches their host name. If you have a managed server on VM-BEA-DEV, then the cert needs to be CN=VM-BEA-DEV. You can also use a load-balancer CN name in the cert if you have the cluster's HTTP values set to match.
In your nodemanager.properties, are you explicitly accessing keystores, such as with:
KeyStores=CustomIdentityAndJavaStandardTrust
CustomIdentityAlias=some_alias
CustomIdentityKeyStoreFileName=some_path_to_keystore
CustomIdentityKeyStorePassPhrase={3DES}...
CustomIdentityKeyStoreType=jks
CustomIdentityPrivateKeyPassPhrase={3DES}
In my multi-machine clusters, I have multiple certificates such as:
admin machine1:
has a cert for use by the admin server and NM that matches the host name ( with node manager.properties entries such as the above )
has a 2nd cert that matches the load-balancer name for the cluster - used by the managed servers
all other machines:
has a cert for use by NM that matches the host name ( with node manager.properties entries such as the above )
has a 2nd cert that matches the load-balancer name for the cluster - used by the managed servers -
Team,
Unable to start FE service on one of the FE server, 2 Enterprise lync 2013 pool one FE in each pool, only following error in event vrw,
Log Name: Lync Server
Source: LS Server
Date: 12/30/2013 12:10:55 PM
Event ID: 12290
Task Category: (1000)
Level: Error
Keywords: Classic
User: N/A
Computer: ACS465-BH102.me.ykgw.net
Description:
The evaluation period has expired.
The evaluation period for Microsoft Lync Server 2013 has expired. Please upgrade from the evaluation version to the fully licensed version of the product. Look at help for Setup.exe to learn how to upgrade from evaluation version to the licensed version.
Cause: The evaluation period for Microsoft Lync Server 2013 has expired.
Resolution:
Please upgrade from the evaluation version to the licensed version of the product. Look at help for Setup.exe to learn how to upgrade from evaluation version to the licensed version.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="LS Server" />
<EventID Qualifiers="50152">12290</EventID>
<Level>2</Level>
<Task>1000</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-12-30T09:10:55.000000000Z" />
<EventRecordID>73953</EventRecordID>
<Channel>Lync Server</Channel>
<Computer>ACS465-BH102.me.ykgw.net</Computer>
<Security />
</System>
<EventData>
</EventData>
</Event>
Log Name: System
Source: Schannel
Date: 12/30/2013 12:13:36 PM
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: ACS465-BH102.me.ykgw.net
Description:
The following fatal alert was generated: 10. The internal error state is 1203.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36888</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2013-12-30T09:13:36.779033200Z" />
<EventRecordID>83985</EventRecordID>
<Correlation />
<Execution ProcessID="556" ThreadID="3668" />
<Channel>System</Channel>
<Computer>ACS465-BH102.me.ykgw.net</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="AlertDesc">10</Data>
<Data Name="ErrorState">1203</Data>
</EventData>
</Event>
Server is already on Full version, ran Reset-CsPoolRegistrarState
for fillrest as wel as serviceret
Followed below as well,
http://social.technet.microsoft.com/Forums/lync/en-US/2a7e27ce-2dea-4e37-91ea-1ed42e110198/issue-updating-from-eval-to-volume-licenses?forum=ocsplanningdeployment
Currently done failover to another pool and users can login,
however i cant get the front end service on this server.Any pointers would be appreciated.
Praveen | MCSE Messaging 2003rit, the command is not doing the trick since its already full version,
PS C:\Users\lyncadmin> Get-CsServerVersion
Microsoft Lync Server 2013 (5.0.8308.0): Volume license key installed.
only one server in one pool, total two pools.
Lync 2013 is on Win 2008 R2, and the event in system im inclining to since i have tried all,
Log Name: System
Source: Schannel
Date: 12/30/2013 9:26:34 AM
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: ACS465-BH102.me.ykgw.net
Description:
The following fatal alert was generated: 10. The internal error state is 1203.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36888</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2013-12-30T06:26:34.877077500Z" />
<EventRecordID>64911</EventRecordID>
<Correlation />
<Execution ProcessID="556" ThreadID="620" />
<Channel>System</Channel>
<Computer>ACS465-BH102.me.ykgw.net</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="AlertDesc">10</Data>
<Data Name="ErrorState">1203</Data>
</EventData>
</Event>
Praveen | MCSE Messaging 2003 -
After applying SP1 (officeserversp2013-kb2880552-fullfile-x64-en-us) I have got this false error message- The trial period for this product has expired. How to take it off!!
Here is what's happening now when i click on this message it takes me to sites link and when i click on sites it takes me to one drive for business library. The links have also changed [sites] should be in place of this false message [ The trial for this
product has expired] . I have Enterprise license and i checked again just to be sure through powershell these are the GUIDs
Products
{9ff54ebc-8c12-47d7-854f-3865d4be8118, b7d84c2b-0754-49e4-b7be-7ee321dce0a9, 35466b1a-b17b-4dfb-a703-f74e2a1f5f5e}
I have no explanation for this change in SuiteLinksDelegate control. Tried bing and google nobody has reported this yet so looking forward to some guidance and explanation here .
Regards,
AnupHi Anup ,
According to your post, my understanding is that you got the "The trial period for this product has expired" on all pages after applying the SP1.
For your issue, please install the Latest Newsgator (Sitrion) updates:
Sitrion
Social Core v4.5.128
Reference:
http://social.technet.microsoft.com/Forums/sharepoint/en-US/3dad56ee-0447-430c-b57f-24d7395fdeb0/upgrade-farm-to-sp1-gets-me-a-the-trial-period-for-this-product-has-expired-on-all-pages?forum=sharepointadmin
Best Regards,
Eric
Eric Tao
TechNet Community Support -
iPad 1 is a lot newer than iPhone 3GS. It has the A4 chip! Why no IOS 6 for the 1st gen. iPad?
quite surprised it suggests that iPhone 3gs s more powerful than the iPad1? iphone 3gs is supported. something is fishy. i don't want to fall out of love with apple products. looks like it's a business decision to cut support for iPad 1 - not technical shortcoming. if apple cut support for 3gs they will upset customers who just bought 3gs before iphone 5 was launched.... tsk tsk tsk.. i'm not from US. hope to see a class action suit by US peeps to resolve this...
-
IOS IPS - Sig 4050 UDP Bomb apparent false alarms?
Hi,
I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
1) Do you find that IOS IPS sig 4050 false alarms are common?
2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
3) Does Cisco have any recommendations on what to do with this built in signature?
Thanks,
KEPOn the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary. -
For server Eagle-PROD-Instance, the Node Manager associated with machine
I have a wlst script that creates a domain and a managed server. I associate the server with a machine that's attached to a node manager. It creates the managed server fine but when I try and start it I get this error
For server Eagle-PROD-Instance, the Node Manager associated with machine Eagle-Machine is not reachable.
All of the servers selected are currently in a state which is incompatible with this operation or are not associated with a running Node Manager or you are not authorized to perform the action requested. No action will be performed.
The machine is associated with the Node Manager and the NM is running. I can start the managed server from the command line, but not from the admin console
This is the script, am I missing something?
Thanks
name: createManagedServer.py
description: This script create the weblogic domain, and executes each weblogic queue module
subfile. it reads a property file : weblogic_wlst.properties for server domain information
author : mike reynolds - edifecs 2011
created : April 8th 2011
import sys
from java.lang import System
from java.util import Properties
from java.io import FileInputStream
from java.io import File
from weblogic.management.security.authentication import UserEditorMBean
from weblogic.management.security.authentication import GroupEditorMBean
from weblogic.management.security.authentication import UserPasswordEditorMBean
# Loads the contents a properties file into a java.util.Properties
# configPropFile = "weblogic_wlst.properties"
def loadPropertiesFromFile(configPropFile):
configProps = Properties()
propInputStream = FileInputStream(configPropFile)
configProps.load(propInputStream)
propInputStream.close()
return configProps
def getProperties():
importConfigFile = sys.argv[1]
print importConfigFile
domainProps = loadPropertiesFromFile(importConfigFile)
properties = Properties()
input = FileInputStream(importConfigFile)
properties.load(input)
input.close()
return properties
def create_users(username, password, description):
# create admin user
cmo.getFileRealms()
try:
userObject=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
userObject.createUser(username,password,description)
print "Created user " + username + "successfully"
except:
print "check to see if user " + username + " exists "
def add_user_to_group(username):
print "Adding a user to group ..."
cmo.getFileRealms()
try:
userObject2 = cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider("DefaultAuthenticator")
userObject2.addMemberToGroup('Administrators',username)
print "Done adding user " + username
except:
print "check to see if user " + username + " is already in group "
def connect_server(user,pw,url):
connect(user,pw,url)
def create_machine():
try:
print 'Creating machine' + machine
# cd('/')
# create(machine, 'Machine')
mach = cmo.createUnixMachine(machine)
mach.setPostBindUIDEnabled(true)
mach.setPostBindUID('oracle')
mach.setPostBindGIDEnabled(true)
mach.setPostBindGID('oracle')
mach.getNodeManager().setNMType('ssl')
except:
print "machine exists"
def build_domain():
### Read Basic Template
WL_HOME = "C:/Oracle/Middleware/wlserver_10.3"
readTemplate(WL_HOME+"/common/templates/domains/wls.jar")
template=WL_HOME+"/common/templates/domains/wls.jar"
cd('Servers/AdminServer')
set('ListenAddress', adminServerAddress)
set('ListenPort', int(adminServerPort))
cd('/')
cd('/Security/base_domain/User/weblogic')
cmo.setPassword('w3bl0g1c')
### Write Domain
setOption('OverwriteDomain', 'true')
print "writing domain " + domainDir + domainName
writeDomain(domainDir+'/'+domainName)
closeTemplate()
create_machine()
arg = "Arguments=\" -server -Xms256m -Xmx768m -XX:MaxPermSize=256m -da\""
prps = makePropertiesObject (arg)
domain = domainDir + domainName
try:
#startNodeManager()
#nmConnect('weblogic', 'w3bl0g1c', host, 5556, 'AdminServer', domain, 'ssl')
# nmStart('AdminServer')
startServer('AdminServer', domainName, url, adminUser, adminPassword, domainDir, 'true')
except:
print "could not connect to Node Manager"
def create_server():
# get server instance properties
name = properties.getProperty("serverName")
domain = properties.getProperty("domainName")
port = properties.getProperty("listenPort")
address = properties.getProperty("listenAddress")
servermb=getMBean("Servers/" + name)
machine = properties.getProperty("machineName")
nodePort = properties.getProperty("nodeManagerPort")
domainDir = properties.getProperty("domainDir")
if servermb is None:
startEdit()
cd('/')
cmo.createServer(name)
cd('/Servers/'+ name)
cmo.setListenAddress(address)
cmo.setListenPort(int(port))
cd('/')
cmo.createMachine(machine)
cd('/Machines/' + machine + '/NodeManager/' + machine )
cmo.setNMType('Plain')
cmo.setListenAddress(address)
cmo.setListenPort(int(nodePort))
cmo.setDebugEnabled(false)
cd('/Servers/' + name)
cmo.setListenPortEnabled(true)
cmo.setJavaCompiler('javac')
cmo.setClientCertProxyEnabled(false)
cmo.setMachine(getMBean('/Machines/' + machine ))
cmo.setCluster(None)
cd('/Servers/' + name + '/SSL/' + name)
cd('/Servers/' + name + '/ServerDiagnosticConfig/' + name)
cmo.setWLDFDiagnosticVolume('Low')
cd('/Servers/' + name)
cmo.setCluster(None)
cd('/Servers/' + name + '/SSL/' + name)
cmo.setEnabled(false)
### Executable Script
### CreateDomain.py
### Define constants
WL_HOME = "C:/Oracle/Middleware/wlserver_10.3"
print "Starting the script ..."
print "Getting properties ... "
properties = getProperties()
adminServerAddress = properties.getProperty("adminServerAddress")
adminServerPort = properties.getProperty("adminServerPort")
adminUser = properties.getProperty("adminUser")
adminPassword = properties.getProperty("adminPassword")
edifecsUser = properties.getProperty("edifecsUser")
edifecsPassword = properties.getProperty("edifecsPassword")
host = properties.getProperty("host")
domainDir = properties.getProperty("domainDir")
domainName = properties.getProperty("domainName")
user = properties.getProperty("username")
pw = properties.getProperty("passwd")
url = properties.getProperty("adminURL")
machine = properties.getProperty("machineName")
print "Building the domain..."
build_domain()
print "Connecting to server"
connect_server(adminUser, adminPassword, url)
edit()
startEdit()
# create managed server
# create_machine()
create_server()
print "Creating users"
# starting configuration tree
serverConfig()
create_users(adminUser, adminPassword, "Administrator")
add_user_to_group(adminUser)
create_users(edifecsUser, edifecsPassword,"Administrator")
add_user_to_group(edifecsUser)
# have to restart edit to save config
edit()
startEdit()
# nmKill('AdminServer')
print "saving configuration"
try:
save()
activate(block="true")
print "script returns SUCCESS"
print "admin server is running"
print "starting server " + name
startServer(domainName, name ,url,adminUser, adminPassword, domainDir,'true')
except:
print "failed to save server"
dumpStack()Actually the cert is coming from your Dev machine but it is sending the Prod cert.
What cert is used by your admin server ? It should match the host name.
So your Dev machine is apparently using a copy of the prod cert / keystore rather than using its own DEV cert. It's not clear from your post whether this is the nodemanager using the wrong cert, or the managed server. So both should be checked.
The managed servers need to be using a cert that matches their host name. If you have a managed server on VM-BEA-DEV, then the cert needs to be CN=VM-BEA-DEV. You can also use a load-balancer CN name in the cert if you have the cluster's HTTP values set to match.
In your nodemanager.properties, are you explicitly accessing keystores, such as with:
KeyStores=CustomIdentityAndJavaStandardTrust
CustomIdentityAlias=some_alias
CustomIdentityKeyStoreFileName=some_path_to_keystore
CustomIdentityKeyStorePassPhrase={3DES}...
CustomIdentityKeyStoreType=jks
CustomIdentityPrivateKeyPassPhrase={3DES}
In my multi-machine clusters, I have multiple certificates such as:
admin machine1:
has a cert for use by the admin server and NM that matches the host name ( with node manager.properties entries such as the above )
has a 2nd cert that matches the load-balancer name for the cluster - used by the managed servers
all other machines:
has a cert for use by NM that matches the host name ( with node manager.properties entries such as the above )
has a 2nd cert that matches the load-balancer name for the cluster - used by the managed servers -
Customizing sensor from filtering false alarms.
hi,
How can i filter the false alarms coming out from my dhcp server and dns servers. Iam getting a lot of frag overlap signature alarms.Can anyone help me to avoid these false alarms ? Please help.Hi,
You cna configure event action filter for those host you do not want the sensor to do any further action for the specific signatures.
This is described here : http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1063299
I hope this helps you. -
Disassoc flood - false alarms - IDS signature file needs adjustment
Another interesting observation regarding Disassociation flood wireless IDS alarms:
When a wireless client goes out of range of an AP, is that it is not uncommon for a burst of 64 disassociation frames to be sent in order to ensure that the client/AP are no longer associated.
However, the threshold in the WLC's IDS signature file is 50. It is unclear why this value was chosen by the developers. However, at Cisco's recommendation, we have adjusted the signature file to a value of FREQ=80 (instead of 50) for the following alarms:
Disassociation, Deauth Flood, and Bcast Deauth
This has resulted in fewer false alarms (except for Bcast deaut which is the result of the WLC alarming on its own containment messages - see previous thread!).
Additional Note: When making changes to the IDS signature file, it would appear that a REBOOT ended up being necessary in our case in order to get the WLCs to recognize the changes to the IDS signature file. When we merely upgraded the signature file, it did not make a difference.
Also, it would appear that the name of the signature file is important (since the parsing of the file does not take place unless a specific file name is given).
- JohnHi,
I'm getting a lot of false positive rogue APs (I've checked the MAC addresses and they are definitely ours), is it possible that a similar problem with signatures is causing this?
Scott -
When trying to update my Mail Account Mailbox Behaviours settings, after making the changes when I try to close the settings pane the following messages occur: Invalid Incoming Mail Server The “Incoming Mail Server” field cannot be empty. The incoming mail server box has in light grey colour: p02-imap.mail.me.com in it and I cannot edit its content. Any ideas what is going on and how to fix it?
Hi all,
Mattreichenbach is probably on the right track here with a reset of settings. I think I've determined the issue has to do with cached account information and inconsistencies for the account name. This seems to crop up when I've changed my password and it hasn't propagated fully to all the servers, devices, certificates, etc.
Hopefully many here are on their way to restoration of service by now but it's clear that a lot of people are having the same issues. Very frustrating and definitely something Apple needs to resolve: incoming mail server field grayed out, incorrect autopopulation of different fields, other unanticipated behaviors. If you're still having issues, though, here's what worked for me...
First, head to the iCloud preferences pane in System Configuration and choose "Sign Out". When I did this it prompted me with a number of "are you sure" type questions about retaining information on my local machine. I chose to delete/remove the info each time simply because it should all be restored by the cloud and I didn't want to risk a massive duplication of my data... I will say, I'm back up and running with no issues so I suspect you can make the same delete/remove choices... But use your own judgment. I don't want you to lose any data (ie.. please use care as you do this because I cannot bear the thought of causing anyone to experience the pain of data loss).
Once you've signed out of iCloud, restart your system. When you get back in, head to the Mail, Contacts and Calendars section of your System Preferences and add your account back by choosing the brushed aluminum "iCloud" button. When it asks for your account name, use your @iCloud.com email address. I am all but certain my issue had started because one of my devices (iPhone or whatever) had been set up with an email alias specified instead of my @iCloud.com address.
Apple, if you're reading through any of these issues (there are TONS of users having this same problem). Take note, that your icloud service somewhat frequently is not responding and yet tells the user that the password is wrong and this prompts people to be changing their passwords unnecessarily. This has happened to me on numerous occasions. Also, I noticed that last week's outage corresponded to a VERY similar outage exactly one year ago to the day. Sounds like planned maintenance to me and I think you could do a better job notifying folks so we're not wasting HUGE amounts of time troubleshooting a problem that we have no hope of fixing.
Hope that helps some of you!
Terry Mullane
Washington, DC
Maybe you are looking for
-
How do I select a specific folder of photos for a slideshow on Apple TV?
Using Apple TV 3 and Mountain Lion on Mac Mini. I am making a slide show on Apple TV. The thing is, unlike in the music function, in which I see all my playlists listed, in the Slideshow function all I see is "Photos", and the photos shown are only t
-
hi I would like to export table "A" containing data in BLOB column and then import the same table into another user's table "B". i got the following error ORA-06502PL/SQL: numeric or value error
-
I want to change 'Modified By' column value of a file that is being uploaded using Client Object Model in SharePoint 2013. The problem is that the version of the file is changing. Kindly help me. The code that I am using is: using (System.IO.Stream f
-
Folder size changes when it moves to my capsule
I copied files from my WD external hard disk and the folder I moved now is smaller in size and has a different (higher) file count. Is this normal?
-
Hi all, I did a client copy in ECC IDES with client 800 as source client.As per the logs , copy is successful.The profile usedf is SAP_ALL.After the copy we logged into the new client which was created and it looked good. Checked the Logs in SCC3 an