Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
695
Views
0
Helpful
7
Replies

CS MARS source ip 0.0.0.0

Go to solution
Rejohn Cuares
Level 4
Level 4

‎01-16-2007 08:37 AM - edited ‎03-09-2019 05:13 PM

Hi!

CS MARS reports with a source ip address of 0.0.0.0 and port number 0. What does this mean?

Thank you in advance!

Please rate replies and mark question as "answered" if applicable.
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to Rejohn Cuares

‎01-16-2007 09:08 AM

You can always click on event type which will give you a popup window with description of event.

Cisco MARS detected an inactive reporting device that has not reported any event to MARS in the last hour. This may indicate that the device is not functioning properly.

View solution in original post

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to Rejohn Cuares

‎01-16-2007 10:05 AM

Click on the Incident ID, something like I:########, this will give you the individual sessions which created the incident. Note the destination IP address. You can also hit the icon for "raw messages" under the "reporting device" column.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
acomiskey
Level 10
Level 10

‎01-16-2007 08:51 AM

From what I can tell, it displays 0.0.0.0 because the event was not triggered by the inspection of a packet with source and destination address or the source/destination cannot be derived from the logged message. For example, the event "inactive reporting device" from Mars does not have a source address and therefore displays 0.0.0.0.

Is this correct?

0 Helpful

Go to solution
Rejohn Cuares
Level 4
Level 4
In response to acomiskey

‎01-16-2007 09:03 AM

yeah your right, I received this alert with the event type - "inactive CS-MARS reporting device".

Can you explain further regarding this event type. Its not very clear with me.

Thank you very much for your fast response!

Please rate replies and mark question as "answered" if applicable.
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to Rejohn Cuares

‎01-16-2007 09:08 AM

You can always click on event type which will give you a popup window with description of event.

Cisco MARS detected an inactive reporting device that has not reported any event to MARS in the last hour. This may indicate that the device is not functioning properly.

0 Helpful

Go to solution
Rejohn Cuares
Level 4
Level 4
In response to acomiskey

‎01-16-2007 09:56 AM

By simply clicking the event type I cannot determine which device/s is/are not functioning properly, then how will you know?

By selecting also the path information icon under the PATH column it's not stated there what device/s is/are down or not functioning properly.

Please rate replies and mark question as "answered" if applicable.
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to Rejohn Cuares

‎01-16-2007 10:05 AM

Click on the Incident ID, something like I:########, this will give you the individual sessions which created the incident. Note the destination IP address. You can also hit the icon for "raw messages" under the "reporting device" column.

0 Helpful

Go to solution
Rejohn Cuares
Level 4
Level 4
In response to acomiskey

‎01-16-2007 10:22 AM

thank you buddy.. i saw the device that was not reporting.. i saw it under RAW MESSAGE.

Please rate replies and mark question as "answered" if applicable.
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to Rejohn Cuares

‎01-16-2007 10:24 AM

Also, you will not see the PATH when the source/destination is 0.0.0.0 like we talked about above.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents