Our MARS device seems to be up and running correctly. Most of our equipment seems to be correctly configured and appears in the topology. However, when an incident occurs MARS does not list the switch the device is connected to. How would I go about troubleshooting this problem?
Also, I have an unknown device reporting to MARS. Is there a report can use to find the IP address of the unknown device? I suspect I have the reporting address wrong on one of our routers and would like to be able to figure out which one it is.
Sorry, if these are "newb" questions, but I am new to MARS and there doesn't seem to be as many troubleshooting documents as compared to other cisco devices.
These are my thoughts regarding your questions and hopefully some of the other Net Pros will join in.
Firstly, the amount of time that is required to tune the MARS system will vary depending on how the network is set up, and how much the single devices are tuned. In an environment with devices tuned at a medium level, it can take 8 to 12 weeks to have the MARS appliance adjusted.
You didn't mention what types of reporting you were doing but I'll assume you have NetFlow, Syslog and SNMP running on your network. With regards to Netflow, ideally NetFlow information should be collected from the distribution switches and routers. These devices, together with NetFlow from Internet-facing routers or syslog from firewalls, represent the entire network.
Just a word of caution on Netflow. You do not want nor need to turn it on for every networking device. Otherwise you will get multiple copies of the same info. Where you want to turn it on is at logical aggregation points, like your distribution layer, or WAN aggregation router.
Secondly, the term âUnknown Reporting Deviceâ is a discrepancy between the defined IP on the MARS and the reported IP that it receives via syslog.
To determine if a device is sending information to MARS do an Inline Query of Reporting Device Ranking.
The Unknown Device Report is located by clicking on the Query / Reports pull down menu and selecting it from the System Reports.
Run an âUnknown Event Reportingâ query/report, and verify that there are no devices
reporting to MARS with an âunknown reporting IPâ. This means that MARS is parsing correctly
the logs from all the devices and they have been set up correctly. Repeat the same sequence for all subsets of your network that you have identified, until all devices have been added. Repeat the test periodically to make sure that all devices are configured correctly. A good idea is to set an hourly or periodic report to be e-mailed with the list of unknown reporting IPs.
When the network has been fully configured and no âunknown reporting IPsâ are reported for
some time, you can then remove the report, or to change it to a longer period of time.
Hope this helps and that you keep asking questions.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...