Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
289
Views
5
Helpful
1
Replies

IPS/MARS message help

p-allen
Level 1
Level 1

‎11-25-2007 10:55 AM - edited ‎03-10-2019 03:52 AM

We are seeing a simalr message as stated below. It seems to be coming from our Cisco AP. What could be causing this and is it a false positive?

192.168.x.x/0 --> 192.168.x.x/0 N/A ARP Reply-to-Broadcast,NR-7102/0,Time:1192307707,Risk Rating:30,VLAN:x

Labels:
0 Helpful
1 Reply 1

mhellman
Level 7
Level 7

‎11-26-2007 06:32 AM

There are products that use ARP broadcasts as a component of heartbeat/failover...so yes, you may see false positives for this signature. Cisco ASA is one example of many. Enable the trigger packet and you should be able to track down the "offending" device.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card