CSS 11506 triggering 3030 on ASA IPS

kdurrett · ‎11-17-2006

Folks,

The CSS 11506 is triggering tens of thousands hits with signature 3030. We have many other hosts on the campus hitting this signature but the CSS was by far the biggest offender. My question is to verify if the CSS needs to perform these TCP syn sweeps on a constant basis as part of it's maintaining the cache engine? On the CSS we were receiving 12000 miss and about 1500 hits per minute with a savings over the last 60 day of 18%. While trying to tune the IPS, we tuned 3030 to deny the packet inline. After making the change to 3030, we see that out misses on the CSS are down to around 1200 with 300 hits. We than reset the statistics to get a more accurate count, but now there are no hits/misses. We are still receiving tcp requests. Is the tcp syn sweep necessary for the CSS? TIA.

Kurtis

mhellman · ‎11-17-2006

It certainly seems plausible that a load balancer would use TCP connections to determine which services in a farm are available. Why don't you just create an event filter for your CSS devices?

kdurrett · ‎11-17-2006

Please ignore this post as I'm gonna have to repost with the actual correct information. As I'm sure I left people scratching there heads wondering what the heck I was talking about. DOH!