×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PGW alarm: Blacklist Threshold exceeded

Unanswered Question

I am getting continuous alarms about 15 min, 60 min. and 24 hour "Blacklist Threshold exceeded". Cisco docs don't say much about it.

Does anyone have a clue what might be causing these alarms. I don't have any Blacklists implemented (only whitelists). There are frequent call failures due to other reasons.

I am suspecting that those other failures are being marked as Blacklist failures. I am running versions 9.4(1).


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
teodorgeorgiev Sat, 05/27/2006 - 08:14
User Badges:
  • Bronze, 100 points or more


Hi,


I am not 100% sure, but here is the case:


When you have configured a whitelist, every call which does NOT conform the whitelist rule(s) is rejected. These rejected calls are the calls that trigger the alarm.



Thanks, but the explanation is not satisfactory.

These alarms have started recently, and I can trace them to failures of MGCP DialPackage calls.

As far as I read in Cisco docs, the values of the thresholds are hard coded. Does anybody know otherwise?

There is a bug in MGC (CSCsc66392) related to this issue.

Any other ideas?


anikas Thu, 06/15/2006 - 11:52
User Badges:
  • Cisco Employee,


Here is why you are seeing this alarm:

MDL BLKLST 15


Description 15-minute blacklist threshold exceeded.

Severity Minor

Cause More than ten calls have been blacklisted within 15 minutes.

Type 3 (Processing error alarm)

Action The alarm clears automatically when the number of blacklisted

calls drops below eight. Be alert for a potential hacker into the system

and also following information from release notes :

Provisioning Whitelist and Blacklist Screening

You can provision whitelists or blacklists to include or exclude calls

from certain numbers. You can provision whitelists that allow calls from specified A-numbers or to

specified B-numbers. Blacklists block calls from specified A-numbers or to specified B-numbers.

To provision a whitelist or blacklist, you must complete the following procedures:

Create the list file

Add numbers to the list file

Process the list file



The alarm is related to the failed screening in the whitelist.

Any number not in the white list is treated as black list.


If you want to see which numbers are failing then you will have to perform an MDL trace and then determine if these number need to be added to your white list or if they are just being blocked like they are supposed to.


Andreas

Actions

This Discussion