Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1185
Views
0
Helpful
7
Replies

Src: 0.0.0.0 Dst: 0.0.0.0

p.mckay
Level 1
Level 1

‎06-25-2008 01:11 PM

When trying to tune for a False Positive I can't do this as the MARS continues to ask for a valid ip address.

The event is coming from a firewall and the event is known so I just want to stop this from appearing in the Incidents.

Labels:
0 Helpful
7 Replies 7

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-26-2008 12:25 AM

When I click the attachment it gives me this error:

"Document does not exist!"

Can you just paste the RAW event received from the firewall over here? Or re-attach that file.

Regards

Farrukh

P.S if you use the 'name' command on the firewall it will show as 0.0.0.0 in MARS.

0 Helpful

p.mckay
Level 1
Level 1
In response to Farrukh Haroon

‎06-26-2008 08:41 AM

So where is the edit button for the orginal message?

I have the "no names" command in the firewall

Anyhow not sure how copy/save/export of the raw data but the message is

PIX Stateful failover unable to create a translation slot (xlate)

Source IP/Port 0.0.0.0 0

Destination IP/Port 0.0.0.0 0

Reporting Device secondary.nxxpixdvc01.xxx.net

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to p.mckay

‎06-26-2008 08:59 AM

Have you tried the Cisco solution to the real problem? These messages are not normal, as per the docs:

"If this error repeats frequently, use the write standby command on the Active unit to synchronize system memory between the Active and Standby units."

Regards

Farrukh

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Farrukh Haroon

‎06-26-2008 09:00 AM

Otherwise you can just remove this message from that particular rule. Or do false positive tuning without IPs.

Regards

Farrukh

0 Helpful

p.mckay
Level 1
Level 1
In response to Farrukh Haroon

‎06-26-2008 09:05 AM

Sure but when I use the method of clikcing the False Positive tuning from the incident I am taken through the steps. The normal flow let's you select any to any ip to any etc. But with a 0.0.0.0 as the IP address in this process you can't use the intergarted process for tuning from the looks of it. The MARS will contiune to ask for a valid IP address.

0 Helpful

p.mckay
Level 1
Level 1
In response to Farrukh Haroon

‎06-26-2008 09:02 AM

I am not concerned about the message from the firewall it's self. I am interested in the handling of the 0.0.0.0 in the Mars and why this ip is being reported in the MARS.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to p.mckay

‎06-26-2008 09:05 AM

I'm not aware of handling the 0.0.0.0 in MARS itself, you have to find the root of the problem (like 'name' command etc. and then work from there). Or use any 'other' criteria to tune this false positive in MARS.

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents