MARS - IOS interface up down, AD securuty entries
Our MARS appliance is running V4.2.1. We have about 40 or 50 IOS switches sending their entries to it. We see interface up and down transitions all the time as expected.
It seems that for many of the entries in MARS, the interesting data, such as the actual port number that went up or down, is nowhere to be found. Am I simply drilling wrong?
We have the same problem with Windows Active Directory security entries - we can see user account changes, but not who made them or which account was changed.
Seymour,
We see similar events on our MARS appliance too. We have nearly 300 switches logging to it now so you can imagine the up/down alerts that we have generated! You are correct that MARS does not provide complete information in the incident view. You are doing nothing incorrect. Keep in mind that the MARS appliance is aggregating a massive amount of security/system data and needs to normalize it to data fields that are most important when it comes to attack information. To view full messages keep in mind that you can view the "Raw Data" directly from the incident screen. In the case of interface up/down messages this would show you the exact port (it's found directly next to the "Reporting Device" name). Keep in mind that Cisco now has enchanced notifications using XML. This exported data contains the raw message that could be included as part of a notification like this:
# Incident Details #
Incident: 1428252525
Start: Oct 3, 2006 8:46:18 AM EDT
End: Oct 3, 2006 8:50:20 AM EDT
Severity: LOW
Rule: Cisco IOS AP wireless MAXRETRIES
Descript: This rule will detect and alert of a Warning on the wireless network for {DOT11-4-MAXRETRIES: Packet to client [mac] reached max retries, removeing the client} errors.
# Session Details #
Session ID: 1428578861
Device: AP12_Freezer.company.com
Event: Generic IOS syslog
Source: 0.0.0.0
Destination: 0.0.0.0
Raw Message: <188>6032: Oct 3 08:49:30: %DOT11-4-MAXRETRIES: Packet to client 00a0.f123.23f7 reached max retries, removing the client
Anything else I can help with let me know.
-Mike
http://cs-mars.blogspot.com
Similar Messages
-
IOS XR Interface up/down trap
For interface up/down trap
In IOS it used to be:
Generic: 2; Specific: 0; Enterprise: .1.3.6.1.6.3.1.1.5;
Variables:
[1] mgmt.mib-2.interfaces.ifTable.ifEntry.ifIndex.34 (Integer): 34
[2] mgmt.mib-2.interfaces.ifTable.ifEntry.ifDescr.34 (OctetString): POS2/1/0
[3] mgmt.mib-2.interfaces.ifTable.ifEntry.ifType.34 (Integer): 171[4] private.enterprises.cisco.local.linterfaces.lifTable.lifEntry.locIfReason.34 (OctetString): Keepalive failed
Annotations:
In IOS XR we are missing ifDescrThanks Joe.
This solves the problem.
One more question. we do not see LDP traps coming from the XR router.
here is the config; when i enable LDP traps it just does not show up in the config:
snmp-server host 10.10.141.253 traps ovadmin
snmp-server view N ip included
snmp-server view N system included
snmp-server view N cpwVcMIB included
snmp-server view N entityMIB included
snmp-server view N interfaces included
snmp-server view N cpwVcMplsMIB included
snmp-server view N mplsTeStdMIB included
snmp-server view N ciscoCBQosMIB included
snmp-server view N ciscoPingEntry included
snmp-server view N ciscoProcessMIB included
snmp-server view N ciscoMemoryPoolEntry included
snmp-server view N ciscoEnhancedMemPoolMIB included
snmp-server community admin RO
snmp-server community admirw RW
snmp-server traps snmp
snmp-server traps config
snmp-server traps entity
snmp-server location Y
snmp-server trap-source MgmtEth0/8/CPU0/0
Tried to enable it:
RP/0/8/CPU0:P1(config)#snmp-server traps mpls ?
frr Enable MPLS FRR traps
l3vpn Enable MPLS L3VPN traps
ldp Enable MPLS LDP traps
traffic-eng Enable MPLS TE traps
RP/0/8/CPU0:P1(config)#snmp-server traps mpls ldp ?
down Enable MPLS LDP session down traps
threshold Enable MPLS LDP threshold traps
up Enable MPLS LDP session up traps
RP/0/8/CPU0:P1(config)#snmp-server traps mpls ldp ?
down Enable MPLS LDP session down traps
threshold Enable MPLS LDP threshold traps
up Enable MPLS LDP session up traps
RP/0/8/CPU0:P1(config)#snmp-server traps mpls ldp down ?
RP/0/8/CPU0:P1(config)#snmp-server traps mpls ldp down
RP/0/8/CPU0:P1(config)#snmp-server traps mpls ldp up
RP/0/8/CPU0:P1(config)#commit
RP/0/8/CPU0:P1(config)#end
does not show up in the config. -
Ipad3 showing kernel panic messages and ios is crashing down frequently.
I am using ipad3. My ios is crushing down frequently since upgraded to ios 7.04. For the couple of occasions I saw kernel panic messages. I have restored iOS plenty of times but still facing the problem. This issue makes it impossible to use this device now. I am really fade up. I am seeking sincere and Cordial help of the technical bosses !
Create a data recovery/undelete external boot drive
Step by Step to fix your Mac
Most commonly used backup methods -
IDSM-2 Logical interface up/down
Hello!
IDSM-2 from my customers are using.
Questions before we work with CPU1 HIGH issue, now on SPAN monitoring is set to TX.
IDSM-2 of the g07, 08 with the INTERFACE UP / DOWN is repeated.
For the uplink traffic in / out total 80 ~ 200mbps & show intrura module 9 data-port 1 traffic in the 80 ~ 100mbps can see the traffic.
traffic and whether you're related to span? or h / w failure is
What the hell do not know.Thank you.
However, i do not understand.
Why, promiscious interface is up / down repeated.
Customers are very concerned that.
up / down repeatedly since the interface is down, since there will not be up.
reset after the interface is up.
promiscious interface need to be aware that you have? -
I lost sound shortly after iOS 6 was down loaded. Sound works headphones.
I lost sound shortly after iOS 6 was down loaded. Sound works with headphones. When no headphones are plugged in and I try to use the volume control on side sound effects comes up but no sound is made. I get sound over main speaker when i adjust alert volume. I restarted and downloaded iOS 6 update with no results.
Try this:
1. Settings>General>Use Side-Switch To>Lock Rotation.
2. Double-click the Home button and swipe Task Bar to the right.
3. Make sure the button on the far left of Task Bar is not muted -
Will updating my iPhone from iOS 7 to iOS 8 slow down my iPhone?
Will updating my iPhone from iOS 7 to iOS 8 slow down my iPhone? Ive heard and seen in many videos on youtube that updating an iPhone 4s to iOS 8 slows down it...Can anybody help me to figure out the the true?
kerimlawrence wrote:
how to downgrade my iphone 4s from ios 7 to ios 6 ...
Downgrading is not Supported by Apple.
kerimlawrence wrote:
. because my ios 7 does not want to activate
Activation Lock in iOS 7 > http://support.apple.com/kb/HT5818 -
Will iOS 5 bog down my first generation iPad?
Will iOS 5 bog down my first generation iPad?
Since iOS5 has not been release, we don't know. Anyone who does know, is likely under NDA to not discuss it on these public forums. (We don't even know if iOS5 "will bog down" and iPad2 either. )
Best to wait until iOS5 is released, but don't install it immediately, and wait for what everyone else says. -
Interface goes down with mds9140
Hi
I've a problem with both MDS 9140. The fc interface goes down and don't go up when I reboot a device connected to them with a fiber. To solved the problem I need to remove the gbic and plug it back again. I use the following version of software
Software
BIOS: version 1.0.8
loader: version 1.1(2)
kickstart: version 1.2(1a)
system: version 1.2(1a)
FabriceIt is probably a software defect where if a port is up for over 248 days, Once link is lost, it will not come back w/o a shut/no shut or manual intervention as you describe. This issue is resolved in the 1.3.4b and above code. For a 91xx, this would be a disruptive upgrade. Or, simply issue a shut/no shut on an affected port and you'll be good for another 248 days.
-
6807-XL - Control plane interface showing down in logs and NMS
Getting the below logs on the switch and NMS station is also showing the CPP interface is down.
Jul 01 12:09:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Control Plane Interface, changed state to down
Any thoughts?Getting the below logs on the switch and NMS station is also showing the CPP interface is down.
Jul 01 12:09:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Control Plane Interface, changed state to down
Any thoughts? -
Ethernet interface down when make entry in autopush file
Hi,
my kernel STREAMS module is working fine when i push it just above ethernet interface through ifconfig cmd, but when i make its entry in autopush file as: iprbo -1 0 simod
then during boot ethernet interface iprb0 is not getting up & even system is getting crashed?
how i can sort out this prob ?Hi Prakash
Chech if the host name entry in maintained on DNS server. DNS server is responsible to resolve your host-name to IP setting.
refer this link - http://forums.techarena.in/server-dns/905529.htm
Regards
Mitesh Parekh -
Cisco 871W - VLAN-Interface = 'Up/Down'
Hi,
I have configured our company's Cisco 871W per suggested configs found on the cisco web site, however, VLAN1, VLAN10 and VLAN20 interfaces won't come up (e.g. up/down) and it's preventing communication. Guess I'm expecting this to behave like a multi-layer swt/rtr (i.e. 3560). Can anyone help me on this?
Here is the config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname xxxxxxxxxxxxx
boot-start-marker
boot-end-marker
enable secret xxx
enable password xxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name xxxxxxxxxxxxxxxx
lease 4
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name xxxxxxxxxxxx
lease 4
no ip domain lookup
ip domain name xxxxxxxxx
crypto pki trustpoint TP-self-signed-1485172728
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1485172728
revocation-check none
rsakeypair TP-self-signed-1485172728
crypto pki certificate chain TP-self-signed-1485172728
certificate self-signed 01
<--------some output omitted--------->
interface FastEthernet0
switchport access vlan 20
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
ip address 10.2.5.1 255.255.0.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
no ip address
interface Vlan10
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan20
description Guest Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
<--------------output omitted---------->
End
Sample device-specific configs would help.
We are not concerned with the wireless portion of the config at this point.
Any insight is appreciated.
Thanks!
Chris
News Corp.You may be hitting with a bug : check the details of this bug : CSCsc10989
-
I add VLAN and interface vlan with no shutdown command on MSFC but when i put show ip interface brief comand I have down and down. What cause this problem ??
I guess I should have been more clear in my answer but didn't want to cause confusion.
Now I have not tried this lately on a catos box so it may be different
If a port is down/down it means there is no entry in the vlan database for it. It normally also means that there is no port assigned to that vlan also but you can accomplish this by assigning a port and then deleteing the vlan database. Either way you will get a down/down condition.
Once you add the vlan to the database the interface will go UP/DOWN. This means there is no active access port on the switch and the vlan is not allowed on any trunks that may be up.
Once a vlan becomes active either on a trunk or access port it goes to up/up
Part of the confusion with this is that cisco adds entries to the vlan database automatially when you add access ports to a unkown vlan.
The problems come when someone sees this down/down condition on a switch and checks that they allow all vlans on a active trunk port and it still doesn't work. In this case all you do is add the vlan database entry and it will come up. -
I am getting this warning on my ASA 5505 when I try to set up logging from my off site FW to the central FW, which is a 5510. What I am trying to do is send the FW logs through the VPN Tunnel into the central 5510 to our logging server at 192.168.22.99, but allow all other traffic out the outside interface so customers can hit our web servers down there. Here is an example of my config with fake IP's. I get this error when trying to do "logging inside host 192.168.22.99". If I try to put in "logging Tunnel host 192.168.22.99" I get the "Warning:Security Level is 1" message
5505
ethe0/0
desc To LA ISP (217.34.122.1)
switchport access vlan2
ethe0/1
desc To Redwood City HQ via VPN Tunnel
switchport access vlan1
ethe0/2
desc To Internal Web Server
switchport access vlan3
VLAN1
desc Tunnel to HQ
ifinterface Tunnel
security level 1
217.34.122.3 255.255.255.248
VLAN3
desc Internal Web Server
ifinterface inside
security level 100
192.168.0.1 255.255.255.0
access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0
(No access-group is performed, as I match from the crypto map instead since I have multiple sites going out of HQ - see HQ configs)
route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198
crypto map TO-HQ 10 match address LosAngeles
crypto map TO-HQ set peer ip 65.29.211.198
5510 at HQ
access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
(again no access-group, since I have a couple other off sites)
crypto map TO-LA 20 match address LA
crypto map TO-LA 20 set peer ip 217.34.122.3Hi Jouni,
I have the following configs in place with fake IPs
5505
1 outside interface with security level 0 (vlan1 direct connect to isp 217.33.122.2/30) - goes to ISP
1 Tunnel interface with security level 1 (vlan 2 direct connect to isp 217.33.122.6/30) - goes to Tunnel to our 5510
1 inside interface with security level 100 (servers connected to hub, with vlan3 ip of 192.168.0.1)
access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0 - acl to 5510 inside network
route outside 0.0.0.0 0.0.0.0 217.33.122.1 - route for all traffic (except for 192.168.22.0/24) to take the outside connection
route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198 - route for 192.168.22.0 destined traffic to take the Tunnel connection
crypto map TO-HQ 10 match address LosAngeles
crypto map TO-HQ 10 set peer ip 65.29.211.198
tunnel-group 65.29.211.198 type ipsec-l2l
5510
1 outside interface with security level 0 (vlan1 direct connect to isp 65.29.211.198) - goes to isp
1 inside interface with security level 100 (vlan2 connection to corporate servers and SIP 192.168.22.0/24)
access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list OUTBOUND extended permit icmp host 217.33.122.6 host 192.168.22.99 (allows Nagios monitor to ping the DE interface
access-group OUTBOUND in interface outside
nat (inside,outside) static 192.168.22.99 interface destination static 217.33.122.6
route outside 192.168.0.0 255.255.255.0 217.33.122.6
crypto map TO-LA 20 match address LA
crypto map TO-LA 20 set peer ip 217.33.122.6
tunnel-group 217.33.122.6 type ipsec-l2l
I am mistaken on the 5510 interfaces. They do not have vlans, and the IP address is directly applied to the interfaces for outside and inside. -
My Other storage space was at 2.84 GB after i loaded all my music/apps onto a recently purchased 32 GB Ipod touch 5 Generation with iOS 6.1.3. Resetting the settings and removing the music and apps did not help reduce the Other space. I restored to a backup and got my Other storage space down to almost 400 MB. When I started syncing music it grew 500-ish MB. Each time I sync, the Other grows a bit more. This is really irritating.
The official listed available GB on my 32 GB is 28.22 GB (not including Other), so now I am irritated knowing that this Other is taking up my space when I didn't even have 32 GB of free space to begin with. So 28.22 - 2.84GB = 25.38 GB.
I want to restore to a new device to see if that helps, but do not want to upgrade to i0S7. Is there any way to do this?
If I upgrade to i0S 7 I am worried it might slow my ipod or drain the battery faster. Will it do that? The ipod is expensive and I dont want it to go downhill and obsolete on me because it can't handle a better operating system.Less than 1 1/5 GB is normal. It does grow with time.
What is the Other on my iPhone and How to Remove It -
Is iOS 8 slowing down the wi fi on my iPad air?
Having lived through several OS updates I know that it takes a little while for apps to all be updated and for little glitches to be worked out. However, I think iOS 8 has brought on some real issues with my iPad Air.
The overall issue is a slow connection to the internet. This happens at home and in several other locations where I have used the wi-fi since updating to iOS 8 a few weeks, ago. My work PC works fine (well... at least, the internet does), but my daugter's iPad mini (also updated to iOS 8) will slow down when she is watching Netflix, occassionally. The family also has an iMac, which is working fine.
While using the Washtington Post (downloading the newspaper), Pinterest, Safari, You Tube, Mail and the App Store, the connection seems to slow down to a crawl making it impossible to continue what I am doing.
I've shut down and restarted the iPad, and then it works fine for a while, only to slow down again sometime later. Sometimes the problem will seem to fix itself, but then it slows down again. Sometimes, it happens when it comes out of sleep mode, and sometimes not. Since I use my iPad to work from home, it is really frustrating. I can delay my gratification when it comes to games and such, but not when I am updating my blog or reading my email.
I've Googled iOS 8 and wi fi and saw that there are a number of issues out there. Some of the big tech magazines and websites are tracking some similiar issues. I'm curious if anyone knows if this is all related to iOS 8 and if a future update will resolve it, or if there are ways I can test my hardware on my iPad to make sure it is working properly.
Thanks!How to remove ios 8 ? This is biggest failure of Apple. It slow down my ipad , freez application, freez key board....?
Maybe you are looking for
-
Hi, I am having problem configuring (managing) two devices with Cisco WLSE, after importing the file with AP IP address I get CDP Discovery completed, but I also get Number of devices (re)discovered 0. For all AP that I am able to configure(manage) I
-
Error during migration of ADF project from Jdev 12 to jdev 11.1.1.7
Hi all, I have created a ADF project in Jdeveloper 12c.during migration from 12c to jdev11g everything was normal.but when i tried to deploy it over integrated weblogic 11g of jdeveloper,it created error- 9 Sep, 2014 8:56:39 PM IST> <Error> <J2EE>
-
Unable to setup ACS UCP ver4.1 in Windows 2003 Server Standard
Please refer to the attachment "error.JPG". When i launch the setup.exe, it show me the error message. Seem like the setup file is created for 16bit OS. Anyone can help?
-
hi. DATA: RANDOM TYPE REF TO CL_ABAP_RANDOM. i am gettin error: CL_ABAP_RANDOM is unknown. do you know how i should declare this?
-
I have an issue that would be great if I could get worked out... I'm using 60i AVCHD footage (.mts), with the appropriate timeline settings in Premiere Pro CS5.5.1. Export settings are to h.264 de-interlaced with default preset settings. However, whe