cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

634
Views
0
Helpful
6
Replies
Mariusz Bochen
Beginner

Too many active services.

I have a website with very high hit rate which is protected by IPS. There've been complains about some dropped request so I've gone through IPS Event Viewer and I found many of this:

evError: eventId=1321353761353146007  vendor=Cisco  severity=error 

  originator:  

    hostId: xxx 

    appName: sensorApp 

    appInstanceId: 17803 

  time: xxx

  errorMessage: Too many (2048) active services in external/tcp. Event for port [random_port_number] has been discarded  name=errUnclassified 

Does anyone know if this related and where/if amount of active services can be controlled?

Additional info:

Platform: WS-SVC-IDSM-2

Build Version: 7.0(6)E4

Bypass mode: auto

Any help will be much appreciated.

Regards

Mariusz

1 ACCEPTED SOLUTION

Accepted Solutions
sawgupta
Beginner

As a workaround, you may disable anomaly-detection feature.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

6 REPLIES 6
sawgupta
Beginner

As a workaround, you may disable anomaly-detection feature.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

Hi Sawan,

Thank you for reply.

I can't disable this feature because of security requirements.

After some further investigation the drop rate doesn't seem to be related to the errors on the IPS.

So the error is probably not affecting the website but is still interesting why I am getting these messages few times a day.

Does anyone has any idea?

Regards

Mariusz

You receive this event becuase you have more than 2048 active service on a particular port.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

Hi Sawan,

Just to give you an update.

Probably type of traffic going through the IPS is too unpredictable, so after some internal discussions we've decided to disable anomaly detection feature.

I am monitoring the IPS and post the result soon.

Many thanks

Mariusz

Hi Sawan,

After disabling anomaly-detection feature I am not getting discarded event errors any more.

Looks like this is not going to cause any harm so I am happy with the workaround.

Regards

Mariusz

Good to know.

Thanks!

Sawan

Thanks & Regards, Sawan Gupta
Content for Community-Ad