Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

CS MARS source ip 0.0.0.0

Hi!

CS MARS reports with a source ip address of 0.0.0.0 and port number 0. What does this mean?

Thank you in advance!

Please rate replies and mark question as "answered" if applicable.
2 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Re: CS MARS source ip 0.0.0.0

You can always click on event type which will give you a popup window with description of event.

Cisco MARS detected an inactive reporting device that has not reported any event to MARS in the last hour. This may indicate that the device is not functioning properly.

Green

Re: CS MARS source ip 0.0.0.0

Click on the Incident ID, something like I:########, this will give you the individual sessions which created the incident. Note the destination IP address. You can also hit the icon for "raw messages" under the "reporting device" column.

7 REPLIES
Green

Re: CS MARS source ip 0.0.0.0

From what I can tell, it displays 0.0.0.0 because the event was not triggered by the inspection of a packet with source and destination address or the source/destination cannot be derived from the logged message. For example, the event "inactive reporting device" from Mars does not have a source address and therefore displays 0.0.0.0.

Is this correct?

Re: CS MARS source ip 0.0.0.0

yeah your right, I received this alert with the event type - "inactive CS-MARS reporting device".

Can you explain further regarding this event type. Its not very clear with me.

Thank you very much for your fast response!

Please rate replies and mark question as "answered" if applicable.
Green

Re: CS MARS source ip 0.0.0.0

You can always click on event type which will give you a popup window with description of event.

Cisco MARS detected an inactive reporting device that has not reported any event to MARS in the last hour. This may indicate that the device is not functioning properly.

Re: CS MARS source ip 0.0.0.0

By simply clicking the event type I cannot determine which device/s is/are not functioning properly, then how will you know?

By selecting also the path information icon under the PATH column it's not stated there what device/s is/are down or not functioning properly.

Please rate replies and mark question as "answered" if applicable.
Green

Re: CS MARS source ip 0.0.0.0

Click on the Incident ID, something like I:########, this will give you the individual sessions which created the incident. Note the destination IP address. You can also hit the icon for "raw messages" under the "reporting device" column.

Re: CS MARS source ip 0.0.0.0

thank you buddy.. i saw the device that was not reporting.. i saw it under RAW MESSAGE.

Please rate replies and mark question as "answered" if applicable.
Green

Re: CS MARS source ip 0.0.0.0

Also, you will not see the PATH when the source/destination is 0.0.0.0 like we talked about above.

261
Views
0
Helpful
7
Replies
CreatePlease to create content