01-02-2014 06:39 AM - edited 03-16-2019 09:04 PM
Hi everyone,
Today while monitoring RTMT I found out new alert.
At Thu Jan 02 13:44:09 GMT 2014 on node 10.156.125.3, the following SyslogSeverityMatchFound events generated:
SeverityMatch : Critical
MatchedEvent : Jan 2 13:43:32 VDVPCCS02 local4 2 : 1073720: VDVPCCS02: Jan 02 2014 13:43:32.620 +0000: %CSA-2-EVENT_CLIM_DENY: %[PID=11257][component=CiscoSecurityAgent] : The process '/common/log/taos-log-a/cm/bin/ccm' (as user ccmbase(514) group ccmbase(506)) attempted to establish a TCP connection with SDORA531 on port 5060 and exceeded the specified rate limit of 7500 connections in 1 minutes. The operation was denied. [rule 927]
AppID : Cisco Syslog Agent
ClusterID :
NodeID : VDVPCCS02
TimeStamp : Thu Jan 02 13:43:32 GMT 2014
Please suggest why and how it can be resloved.
Wish you happy new year.
Regards,
Shantha Murthy.
Solved! Go to Solution.
01-03-2014 06:33 AM
I checked your case and I see that is has been actively worked for quite some time now. Are you in touch with Samil about the latest updates on this? I see multiple messages exchanged just today between the TAC engineer and Samil.
01-02-2014 08:10 AM
What is this node is SDORA531? seem like this node trying to connect to over SIP TCP port 5060 and was exceeding the limit. could you please check the connectivity between this nodes .Probable reason some n/w issue during this time when you get this alert .
Are you still getting this alert? How frequent it is ? Meanwhil check the connectivity.
Br,
Nadeem
Please rate all useful post.
01-03-2014 01:08 AM
HI Nadeem,
Thanks for reply.
Sdora531 is Verint recording server node. CM and sdora531 are in LAN.
Frequency: Every 45mins and still we are facing the issue.
Regards,
Shantha Murthy
01-03-2014 05:55 AM
I would take a packet capture from VDVPCCS02 for a minute or two and also enable detailed Cisco CallManager traces to see what is causing all of the SIP traffic leading to the rate limit alert. Here is how to take a packet capture from your CUCM server, https://supportforums.cisco.com/docs/DOC-11599 and here is how to enabled and collect traces
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080094e89.shtml.
01-03-2014 06:09 AM
Thanks for reply and information.
Cisco TAC team is working on this issue from last 15 days :-( and yet no response from them. finger crossed.
01-03-2014 06:33 AM
I checked your case and I see that is has been actively worked for quite some time now. Are you in touch with Samil about the latest updates on this? I see multiple messages exchanged just today between the TAC engineer and Samil.
01-03-2014 06:36 AM
Hey Joe,
Great follow up here my friend! Top notch service
to be sure +5
Cheers!
Rob
"When it comes to luck you make your own "
- Springsteen
01-03-2014 06:37 AM
Yes ur right. Samil and Cisco TAC are working together. My collegue is working with Samil regarding this and I'm checking in forum for assistance.:-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide