05-26-2006 10:06 AM
I am getting continuous alarms about 15 min, 60 min. and 24 hour "Blacklist Threshold exceeded". Cisco docs don't say much about it.
Does anyone have a clue what might be causing these alarms. I don't have any Blacklists implemented (only whitelists). There are frequent call failures due to other reasons.
I am suspecting that those other failures are being marked as Blacklist failures. I am running versions 9.4(1).
05-27-2006 08:14 AM
Hi,
I am not 100% sure, but here is the case:
When you have configured a whitelist, every call which does NOT conform the whitelist rule(s) is rejected. These rejected calls are the calls that trigger the alarm.
05-29-2006 09:52 AM
Thanks, but the explanation is not satisfactory.
These alarms have started recently, and I can trace them to failures of MGCP DialPackage calls.
As far as I read in Cisco docs, the values of the thresholds are hard coded. Does anybody know otherwise?
There is a bug in MGC (CSCsc66392) related to this issue.
Any other ideas?
06-15-2006 11:52 AM
Here is why you are seeing this alarm:
MDL BLKLST 15
Description 15-minute blacklist threshold exceeded.
Severity Minor
Cause More than ten calls have been blacklisted within 15 minutes.
Type 3 (Processing error alarm)
Action The alarm clears automatically when the number of blacklisted
calls drops below eight. Be alert for a potential hacker into the system
and also following information from release notes :
Provisioning Whitelist and Blacklist Screening
You can provision whitelists or blacklists to include or exclude calls
from certain numbers. You can provision whitelists that allow calls from specified A-numbers or to
specified B-numbers. Blacklists block calls from specified A-numbers or to specified B-numbers.
To provision a whitelist or blacklist, you must complete the following procedures:
Create the list file
Add numbers to the list file
Process the list file
The alarm is related to the failed screening in the whitelist.
Any number not in the white list is treated as black list.
If you want to see which numbers are failing then you will have to perform an MDL trace and then determine if these number need to be added to your white list or if they are just being blocked like they are supposed to.
Andreas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: