RTMT sending false Alarms?

Similar Messages

• ANM 5.2.1 Device Down False Alarms

  Hello all,
  I am just checking if anyone out there is facing false alarm issues with ANM 5.2.1. Basically ANM is sending device down (ACE-30 module) messages occasionally, but in real the device has never went down.
  I haven't found any bug related to this issue. Please share your experiences with ANM 5.2.1 ?
  Message:
  ANM Server Host Name        : anm-1
  ANM Server IP Address        : 10.9.20.1
  Device ID                              : AGG-B:3
  Component Name                  : AGG-B:3
  Severity                               : info
  Time                                   : 04-Jan-2013 13:49:59  GST
  Alarm Name                        : Device Status
  Alarm Value                       : Down
  Threshold Assert Value       : Down
  Threshold Group Name         : ANM-Alerts
  Alarm State                       : Active
  Details                           : AGG-B:3's Device Status  reached the Down state defined in threshold group 'ANM-Alerts'
  ACE-30 uptime:
  ACE-B kernel uptime is  267 days 0 hour 13 minute(s) 11 second(s)
  Regards,
  Akhtar

  Yes, me. On 5.2.2 and just a couple of hours ago, the passive sent this:
  Device State and Resource Monitoring Alarm of severity info has occurred.
  ANM Server Host Name               :
  ANM Server IP Address                :
  Device ID                                             : sw000:1
  Component Name                          : sw000:1
  Severity                                               : info
  Time                                                      : 21-Feb-2013 05:40:39 CET
  Alarm Name                                       : Device State and Resource Monitoring
  Alarm Value                                       : Down
  Threshold Assert Value : Down
  Threshold Group Name                : TEST
  Alarm State                                        : Active
  Details                                  : sw000:1's Device State and Resource Monitoring reached the Down state defined in threshold group 'TEST'

• Persistent, chronic, false alarms for the past eight months

  We now have two installations that utilize a unified wireless (WLC or WiSM - AIR-LAP1131AG, AIR-LAP1231G, AIR-LAP1242AG access points) that have been exhibiting the following IDS false alarms:
  Disassoc Flood
  AP Impersonation
  We have TAC cases going back to October 2006 to address them and have upgraded to the latest/greatest version 4.0.206.0 in hopes of getting this solved.
  Version 4.0.206.0 was supposed to have fixed these problems, and it did reduce some of the other false alarms (not listed). However, the two mentioned above persist.
  Is anyone else out there experiencing this?
  - John

  Thank you for confirming this behavior.
  In answer to your question, upgrading to 4.0.206.0 did get rid of the "Generic Netstumbler" IDS alarm that turned out to be another false positive.
  As it turns out, there have been comments from Cisco that now indicate that .206 has stability issues (nice to know that now). However, we have not experienced any of these issues at the two installations where this version is operating.
  I also wanted to point out that we went ahead and opened TAC cases for each error at each customer site.
  Currently, most of them have reached a status of "Release Pending". (Now as to *WHICH* release....)
  If you have not opened a TAC case for these issues, taking the time to do so will help Cisco be aware of the extent to which this problem exists in the field and, hopefully, will help them prioritize the fix to this problem.
  John

• IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

  Hi,
  I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
  All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
  Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
  Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
  Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
  1) Do you find that IOS IPS sig 4050 false alarms are common?
  2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
  3) Does Cisco have any recommendations on what to do with this built in signature?
  Thanks,
  KEP

  On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
  You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
  I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
  Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

• Customizing sensor from filtering false alarms.

  hi,
  How can i filter the false alarms coming out from my dhcp server and dns servers. Iam getting a lot of frag overlap signature alarms.Can anyone help me to avoid these false alarms ? Please help.

  Hi,
  You cna configure event action filter for those host you do not want the sensor to do any further action for the specific signatures.
  This is described here : http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1063299
  I hope this helps you.

• WCS IDS False Alarms - NetStumbler Generic Attack

  We have a particular installation where we are seeing four (4) types of IDS errors constantly reappearing:
  "IDS Signature attack detected. Signature Type: Standard"
  "Disassoc flood, Description: Disassociation flood
  "AP impersonation"
  "NetStumbler Generic Attack"
  In the first three alarms, Cisco has acknowledged that there are known issues with false IDS alarms that are supposed to be fixed in an upcoming "BE-MR2" in mid-December, and a new IDS signature in January.
  Is anyone else experiencing the NetStumbler Generic IDS alarm? We see them on a regular basis.
  If so, please reply - as I would like to forward this on to TAC to make sure they get this fixed in the next release.
  We are using WLC-4.x and WCS 4.x with LAP-1131AG access points.
  - John

  The Disassociation attack is a known bug acknowledged by Cisco TAC. (That is not a guarantee that it is a false alarm - that is what has been especially frustrating in troubleshooting these).
  Specifically, though, I am trying to confirm that others are experiencing the NetStumbler attack as we suspect this is another false alarm since it came from the MAC address of a trusted laptop that was confirmed to not be running NetStumbler - and, yes, I realize that the MAC address can be spoofed, but with the high number of false positives on the other types of alarms mentioned earlier, it would seem more likely that the WLC's IDS subsystem needs tweaking.
  I would really like to get this fixed within the next release, and am hoping that additional confirmation may help get Cisco to resolve it more quickly.
  - John

• Disassoc flood - false alarms - IDS signature file needs adjustment

  Another interesting observation regarding Disassociation flood wireless IDS alarms:
  When a wireless client goes out of range of an AP, is that it is not uncommon for a burst of 64 disassociation frames to be sent in order to ensure that the client/AP are no longer associated.
  However, the threshold in the WLC's IDS signature file is 50. It is unclear why this value was chosen by the developers. However, at Cisco's recommendation, we have adjusted the signature file to a value of FREQ=80 (instead of 50) for the following alarms:
  Disassociation, Deauth Flood, and Bcast Deauth
  This has resulted in fewer false alarms (except for Bcast deaut which is the result of the WLC alarming on its own containment messages - see previous thread!).
  Additional Note: When making changes to the IDS signature file, it would appear that a REBOOT ended up being necessary in our case in order to get the WLCs to recognize the changes to the IDS signature file. When we merely upgraded the signature file, it did not make a difference.
  Also, it would appear that the name of the signature file is important (since the parsing of the file does not take place unless a specific file name is given).
  - John

  Hi,
  I'm getting a lot of false positive rogue APs (I've checked the MAC addresses and they are definitely ours), is it possible that a similar problem with signatures is causing this?
  Scott

• K8N Neo BIOS 1.5 released -- sorry FALSE ALARM

  I haven't yet tried it, but BIOS 1.5 appears to be posted on LiveUpdate, along with a new version of the LiveUpdate software itself. This is for the K8N Neo; I don't know about the Neo2.
  Anyone tried it yet?

  Well this is weird. It tells me 1.5 is released, I try to install it. It first says it needs to install a new version of LiveUpdate. Fine...reboot...then back to LiveUpdate and there's no new version of the BIOS showing up anymore. Or maybe I was just imagining things. Sorry for the false alarm.

• ICal randomly doesn't send email alarms

  I'm having issues with iCal missing some, but not all, email alarms. I have all my birthday reminders set the same way, to email me 7 days before. Some emails are sent, some are not. I have 4 calendars set up, and emails from other calendars are being missed as well. It seems to be random as I can't find any pattern linking the missed emails.
  As far as I can tell I have never missed any pop-up message alarms, only email alarms.
  I haven't made any changes to cause this that I know of, it just started missing emails one day. I suppose it could have corresponded with the 10.6.3 update as the timing would have been in the right ballpark, but I really can't say for sure.
  I tried deleting all calendars and reimporting a previously exported iCal backup file without luck.
  Not sure what else to try. Any ideas?

  Hi
  I had the same issue here. I solved the alarm sending with this: http://discussions.apple.com/thread.jspa?messageID=11602956#11602956
  but the other problem was that some random changes occured with the recurrence of the events in my Birthdays calendar. I solved that with this script:
  tell application "iCal"
  tell calendar "Birthdays"
  repeat with Evento in events
  tell Evento
  set recurrence of Evento to "FREQ=YEARLY"
  end tell
  end repeat
  end tell
  end tell

• RTMT Sender ID

  Hi All,
  Can somebody please let me know how to change the RTMT email alert sender ID? As of now we are getting email id as RTMT_Admin, want to change this sender ID.
  Thanks in advance !!!!

  Hi Jonathan,
  Thanks for sharing information.
  I cloud see option only for email server and port in the mentioned path. I am using RTMT version 8.1.
  Please suggest me if anything else needs to be done.

• Can't send query-alarms via e-mail in 8.8 PL15

  Hi all,
  I have 8.8 PL15.  Made an alarm based on a query and am trying to send it via e-mail.  The SBO Mailer is properly configured, but the alarm is not going out.  The event viewer on the server shows:
  MessageEntity::MarkOneRecordError::Query SQL AOB1 failed -2028
  Note # 1440854 says that it's a product error and will be fixed in a later patch.  When PL12 was released, the correction was included, as note # 1464641 states; but I already have PL15 and the error still persists.
  Any ideas on how this can be solved??
  Thanks for any help or advise,
  Best regards,

  Hi Emilio,
  I have the same problem in pl17. Did you solve the problem?
  Best regards,
  Jan-willem Bruijsten

• SMC 3.6 Cannot  send email alarm

  Dear All ,
  I just try SMC 3.6 ,on the server i am configure sendmail and test send email working fine ,but when i try attribut set to send email outside ,script email.sh not send alarm notify to send out email , i try also email to localhost smc server but not yet working ? any idea ?
  regards
  hadi

  Hi Hadi,
  The Release Notes say the "usermod" command listed in your URL may not work: maybe you can make the file changes by hand?:
  http://docs.sun.com/app/docs/doc/817-7553/6mms6q1ia?a=view
  Regards,
  [email protected]

• Can iCal send email alarms to someone other than self?

  I would like to have iCal send an email to someone other than myself via an alarm. Is that an option and if so, how is it done? Thanks in advance.

  If you have a ISP based email it can only be sent through Mail via your home ISP connection (or the same ISP elsewhere).
  If you use the ISP's web page email access then you can do it from any machine or on any ISP.
  Most people use a free web based email like GMail or Yahoo, then they can access through any computer with a web browser anywhere.
  I haven't used Mail in years.

• Send iCal alarms to other people's email addresses

  other than adding other peoples email addresses to my card, is there a way to do this? I want to be able to send email reminders to client appointments that I have scheduled in iCal.
  thanks,
  bl

  I'm sorry that I dont know how to do this, but, I am wanting exactly the same feature.. I'd like to be able to just type in an email address for who the reminder should be sent to. This way, if I want to sent to myself and a client, then I can set up two alarms, one the standard way (to my email) and another email alarm (at the same, or a different time) to a clients email address.
  I'm wondering, if it can't be done as a standard iCal feature, maybe the user of Apple Script might do it? There's an option to Run Script as an alarm category. Selecting this brings up a file browser to select the script you want to run. So I wonder, does anyone know how this could be achieved using Script maybe?
  Or failing that, is there an Add-on that's already been written to iCal? I can't seem to find one, and I'm guessing that because Ferd II has replied with an "I dont know how" answer, then perhaps there's no real solution... haha, I see Ferd II that you're a frequent and knowledgeable iCal poster in these forums!
  Fingers crossed we find a solution...

• False Alarms?

  Hi,
  We have noticed alarms being displayed on Cisco Prime Collaboration for endpoints that seem as if they are false.. Has anyone experienced this before?
  For example we have a Cisco C90 Codec that is displaying Microphone errors on inputs that are utilised and inputs that are not however upon using the system it seems fine.
  Below is an example error we are getting
  Would this have anything to do with the version the endpoint is on maybe?

  I forgot to put above which version we are running which is version 9.5.34267