I have a website with very high hit rate which is protected by IPS. There've been complains about some dropped request so I've gone through IPS Event Viewer and I found many of this:
evError: eventId=1321353761353146007 vendor=Cisco severity=error
errorMessage: Too many (2048) active services in external/tcp. Event for port [random_port_number] has been discarded name=errUnclassified
Does anyone know if this related and where/if amount of active services can be controlled?
Build Version: 7.0(6)E4
Bypass mode: auto
Any help will be much appreciated.
Solved! Go to Solution.
Thank you for reply.
I can't disable this feature because of security requirements.
After some further investigation the drop rate doesn't seem to be related to the errors on the IPS.
So the error is probably not affecting the website but is still interesting why I am getting these messages few times a day.
Does anyone has any idea?
You receive this event becuase you have more than 2048 active service on a particular port.
Just to give you an update.
Probably type of traffic going through the IPS is too unpredictable, so after some internal discussions we've decided to disable anomaly detection feature.
I am monitoring the IPS and post the result soon.
After disabling anomaly-detection feature I am not getting discarded event errors any more.
Looks like this is not going to cause any harm so I am happy with the workaround.