01-28-2013 04:07 AM - edited 03-10-2019 05:52 AM
I have a website with very high hit rate which is protected by IPS. There've been complains about some dropped request so I've gone through IPS Event Viewer and I found many of this:
evError: eventId=1321353761353146007 vendor=Cisco severity=error
originator:
hostId: xxx
appName: sensorApp
appInstanceId: 17803
time: xxx
errorMessage: Too many (2048) active services in external/tcp. Event for port [random_port_number] has been discarded name=errUnclassified
Does anyone know if this related and where/if amount of active services can be controlled?
Additional info:
Platform: WS-SVC-IDSM-2
Build Version: 7.0(6)E4
Bypass mode: auto
Any help will be much appreciated.
Regards
Mariusz
Solved! Go to Solution.
01-28-2013 07:58 PM
As a workaround, you may disable anomaly-detection feature.
Regards,
Sawan Gupta
01-28-2013 07:58 PM
As a workaround, you may disable anomaly-detection feature.
Regards,
Sawan Gupta
01-30-2013 04:31 AM
Hi Sawan,
Thank you for reply.
I can't disable this feature because of security requirements.
After some further investigation the drop rate doesn't seem to be related to the errors on the IPS.
So the error is probably not affecting the website but is still interesting why I am getting these messages few times a day.
Does anyone has any idea?
Regards
Mariusz
01-30-2013 09:04 PM
You receive this event becuase you have more than 2048 active service on a particular port.
Regards,
Sawan Gupta
02-04-2013 04:42 AM
Hi Sawan,
Just to give you an update.
Probably type of traffic going through the IPS is too unpredictable, so after some internal discussions we've decided to disable anomaly detection feature.
I am monitoring the IPS and post the result soon.
Many thanks
Mariusz
02-06-2013 01:47 AM
Hi Sawan,
After disabling anomaly-detection feature I am not getting discarded event errors any more.
Looks like this is not going to cause any harm so I am happy with the workaround.
Regards
Mariusz
02-10-2013 03:18 AM
Good to know.
Thanks!
Sawan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide