Core issue

The problem can occur when the signatures 1330/12 and 1330/17 are denying inline for legitimate traffic.

Note: The 1330 signatures, by default, deny inline but do not produce alerts.

Resolution

1330 has 19 subsignatures. In order to resolve this problem, narrow down which specific subsignature causes the issue.

You can see the status of all the signatures in the output of the show statistics virtual-sensor command in the show tech.

You can add to the action a produce alert for all 19 subsignatures of signature ID 1330 in order to get alerts when they fire.

On the basis of the alerts generated, you can create event-action filters in order to resolve the problem.

In order to enable alerts for all signatures, because some are configured without the action produce alert, you can configure an event-action override.

For example, in IDM choose Event Action Rules > Event Action Overrides, and add an override with produce alert as the action for a 0-100 risk rating.

This basically turns on the produce alert action for all signatures.

Note: You can find many signatures with ID 3030 in the logs. 3030 is a common signature to fire, as it triggers on several TCP SYN packets sent from a single host.  Refer to MySDN for complete information on 3030.

If you do not want to see alerts for 3030, you can create an event action filter for your internal subnets and this signature.