Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Src: 0.0.0.0 Dst: 0.0.0.0

When trying to tune for a False Positive I can't do this as the MARS continues to ask for a valid ip address.

The event is coming from a firewall and the event is known so I just want to stop this from appearing in the Incidents.

7 REPLIES

Re: Src: 0.0.0.0 Dst: 0.0.0.0

When I click the attachment it gives me this error:

"Document does not exist!"

Can you just paste the RAW event received from the firewall over here? Or re-attach that file.

Regards

Farrukh

P.S if you use the 'name' command on the firewall it will show as 0.0.0.0 in MARS.

New Member

Re: Src: 0.0.0.0 Dst: 0.0.0.0

So where is the edit button for the orginal message?

I have the "no names" command in the firewall

Anyhow not sure how copy/save/export of the raw data but the message is

PIX Stateful failover unable to create a translation slot (xlate)

Source IP/Port 0.0.0.0 0

Destination IP/Port 0.0.0.0 0

Reporting Device secondary.nxxpixdvc01.xxx.net

Re: Src: 0.0.0.0 Dst: 0.0.0.0

Have you tried the Cisco solution to the real problem? These messages are not normal, as per the docs:

"If this error repeats frequently, use the write standby command on the Active unit to synchronize system memory between the Active and Standby units."

Regards

Farrukh

Re: Src: 0.0.0.0 Dst: 0.0.0.0

Otherwise you can just remove this message from that particular rule. Or do false positive tuning without IPs.

Regards

Farrukh

New Member

Re: Src: 0.0.0.0 Dst: 0.0.0.0

Sure but when I use the method of clikcing the False Positive tuning from the incident I am taken through the steps. The normal flow let's you select any to any ip to any etc. But with a 0.0.0.0 as the IP address in this process you can't use the intergarted process for tuning from the looks of it. The MARS will contiune to ask for a valid IP address.

New Member

Re: Src: 0.0.0.0 Dst: 0.0.0.0

I am not concerned about the message from the firewall it's self. I am interested in the handling of the 0.0.0.0 in the Mars and why this ip is being reported in the MARS.

Re: Src: 0.0.0.0 Dst: 0.0.0.0

I'm not aware of handling the 0.0.0.0 in MARS itself, you have to find the root of the problem (like 'name' command etc. and then work from there). Or use any 'other' criteria to tune this false positive in MARS.

Regards

Farrukh

386
Views
0
Helpful
7
Replies
CreatePlease to create content