Src: Dst:

Unanswered Question
Jun 25th, 2008

When trying to tune for a False Positive I can't do this as the MARS continues to ask for a valid ip address.

The event is coming from a firewall and the event is known so I just want to stop this from appearing in the Incidents.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 06/26/2008 - 00:25

When I click the attachment it gives me this error:

"Document does not exist!"

Can you just paste the RAW event received from the firewall over here? Or re-attach that file.



P.S if you use the 'name' command on the firewall it will show as in MARS.

p.mckay Thu, 06/26/2008 - 08:41

So where is the edit button for the orginal message?

I have the "no names" command in the firewall

Anyhow not sure how copy/save/export of the raw data but the message is

PIX Stateful failover unable to create a translation slot (xlate)

Source IP/Port 0

Destination IP/Port 0

Reporting Device

Farrukh Haroon Thu, 06/26/2008 - 08:59

Have you tried the Cisco solution to the real problem? These messages are not normal, as per the docs:

"If this error repeats frequently, use the write standby command on the Active unit to synchronize system memory between the Active and Standby units."



Farrukh Haroon Thu, 06/26/2008 - 09:00

Otherwise you can just remove this message from that particular rule. Or do false positive tuning without IPs.



p.mckay Thu, 06/26/2008 - 09:05

Sure but when I use the method of clikcing the False Positive tuning from the incident I am taken through the steps. The normal flow let's you select any to any ip to any etc. But with a as the IP address in this process you can't use the intergarted process for tuning from the looks of it. The MARS will contiune to ask for a valid IP address.

p.mckay Thu, 06/26/2008 - 09:02

I am not concerned about the message from the firewall it's self. I am interested in the handling of the in the Mars and why this ip is being reported in the MARS.

Farrukh Haroon Thu, 06/26/2008 - 09:05

I'm not aware of handling the in MARS itself, you have to find the root of the problem (like 'name' command etc. and then work from there). Or use any 'other' criteria to tune this false positive in MARS.




This Discussion