cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
722
Views
0
Helpful
7
Replies

RTMT alert in CM 8.5.1.15900-4

Shantha Murthy
Level 1
Level 1

Hi everyone,

Today while monitoring RTMT I found out new alert.

At Thu Jan 02 13:44:09 GMT 2014 on node 10.156.125.3, the following SyslogSeverityMatchFound events generated:

SeverityMatch : Critical

MatchedEvent : Jan  2 13:43:32 VDVPCCS02 local4 2 : 1073720: VDVPCCS02: Jan 02 2014 13:43:32.620 +0000: %CSA-2-EVENT_CLIM_DENY: %[PID=11257][component=CiscoSecurityAgent] : The process '/common/log/taos-log-a/cm/bin/ccm' (as user ccmbase(514) group ccmbase(506)) attempted to establish a TCP connection with SDORA531 on port 5060 and exceeded the specified rate limit of 7500 connections in 1 minutes. The operation was denied. [rule 927]

AppID : Cisco Syslog Agent

ClusterID :

NodeID : VDVPCCS02

TimeStamp : Thu Jan 02 13:43:32 GMT 2014

Please suggest why and how it can be resloved.

Wish you happy new year.

Regards,

Shantha Murthy.

1 Accepted Solution

Accepted Solutions

I checked your case and I see that is has been actively worked for quite some time now.  Are you in touch with Samil about the latest updates on this?  I see multiple messages exchanged just today between the TAC engineer and Samil.

View solution in original post

7 Replies 7

Nadeem Ahmed
Cisco Employee
Cisco Employee

What is this node is SDORA531?  seem like this node trying to connect to over SIP TCP port 5060 and was exceeding the limit. could you please check the connectivity between this nodes .Probable reason some n/w issue during this time when you get this alert .

Are you still getting this alert? How frequent it is ? Meanwhil check the connectivity.


Br,
Nadeem 

Please rate all useful post.

Br, Nadeem Please rate all useful post.

HI Nadeem,

Thanks for reply.

Sdora531 is Verint recording server node. CM and sdora531 are in LAN.

Frequency: Every 45mins and still we are facing the issue.

Regards,

Shantha Murthy

I would take a packet capture from VDVPCCS02 for a minute or two and also enable detailed Cisco CallManager traces to see what is causing all of the SIP traffic leading to the rate limit alert.  Here is how to take a packet capture from your CUCM server, https://supportforums.cisco.com/docs/DOC-11599 and here is how to enabled and collect traces

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080094e89.shtml.

Thanks for reply and information.

Cisco TAC team is working on this issue from last 15 days :-( and yet no response from them. finger crossed.

I checked your case and I see that is has been actively worked for quite some time now.  Are you in touch with Samil about the latest updates on this?  I see multiple messages exchanged just today between the TAC engineer and Samil.

Hey Joe,

Great follow up here my friend! Top notch service

to be sure +5

Cheers!

Rob

"When it comes to luck you make your own  " 

- Springsteen

Yes ur right. Samil and Cisco TAC are working together. My collegue is working with Samil regarding this and I'm checking in forum for assistance.:-)