This document addresses the most frequently asked questions (FAQs)
related to the Cisco Traffic Anomaly Detector and Guard (Riverhead
Refer to the
Technical Tips Conventions for more information on document
What is the default password for the Cisco Traffic Anomaly Detector and
A. The default password for the Cisco Traffic Anomaly Detector and Guard
I changed the date information from 08062004 to a future date of
12012004 using the "date 12012004" CLI command. I then tested the date change
to a zone via the SNMP OID rhZoneLastChangeTime. This worked well except when
the date is changed to a date earlier than the last changed date. Next, I
changed the date back to 08062004 on the CLI. However, the SNMP OID response to
query for rhZoneLastChangeTime remained 12012004 (the old date). After a
reload, the OID response showed the correct (last) date change. Is this a bug?
A. This is Cisco bug ID
registered customers only)
. It is generally not recommended to
change the time of the device backwards. This can result in the overlap of some
history data. A workaround for this problem is to restart the snmp-server
whenever the time is set backwards:
admin@Guard-conf#no service snmp-server
This clears the SNMP cache and brings the updated data to the
What is the difference between TCP Reset and TCP Safe-Reset?
Reset: Suitable for all TCP applications that retry
to connect when a RST packet is received (or enable the user to reconnect). The
connection is closed with a RST packet and no tag is sent. See figure for the
packet flow of the Reset algorithm.
Safe-Reset: While the above method requires
application-level awareness, safe-reset requires only TCP stack RFC compliance,
but adds a 3 second delay to the first connection setup time. It is suitable
for most automatic TCP protocols (such as mail). As a reply to the client SYN,
the Guard sends an ACK with a bad acknowledgment number which holds a cookie.
If the client is compliant with RFC 793, it answers with a RST packet which
contains the bad acknowledgment number and retransmits the original SYN after a
3-second timeout. When the Guard receives the RST packet with the bad
acknowledgment number, it authenticates the connection and does not interfere
with the next connection. The main caveat in this solution is that some
firewalls silently drop the badly-numbered ACK even though this is not RFC
compliant. n order to provide a solution in such cases, if the Guard receives a
second SYN packet from the same source within 4 seconds of the first, with no
RST in between, the second SYN is treated in the same way as it is treated in
the Reset method.
After an upgrade I receive the "Can't connect to management module;
SYSTEM IS NOT FULLY OPERATIONAL: Connection refused Can't write to socket"
error message. How do I fix this?
A. In addition to the Can't connect to management module;
SYSTEM IS NOT FULLY OPERATIONAL: Connection refused Can't write to
socket error message, this error is generated when you reboot:
Are you sure? Type 'yes' to reboot
sh: /sbin/reboot: Input/output error
Can't connect to managment module; SYSTEM IS NOT FULLY OPERATIONAL:
Can't write to socket
Management module is busy. Please try again in 10 seconds
Failed to get counters
Message from syslogd@GUARDUS at Sun Sep 19 17:38:51 2004 ...
GUARD-US RHWatchdog: RHWatchdog: subsystem failure - CM
This looks like a file system error on the guard. In order to solve the
FS errors, reboot the guard and watch the fsck process
closely. If you get into single user mode, issue the fsck -y
/ command to request a manual run of fsck.
When I configure a Zone using the default template, I am unable to find
the HTTP policy template under the zone when I issue the "show policies"
command. I see every other policy template except for HTTP. How can I find it?
A. The default policy is available when you issue the wr t
| command and include HTTP. This shows you something similar to
policy-template http -1 10.0 enabled. The Cisco Traffic
Anomaly Detector and Guard then looks at traffic that is based on the threshold
form that the HTTP policy is based on.
How do I perform root user password recovery?
A. Refer to
Guard and Traffic Anomaly Detector Password Recovery for instructions on
root user password recovery.
Can I import custom SSL certificates to Cisco Anomaly
A. No, Cisco Anomaly Guard only supports the self-signed SSL
I received this error message. How can I resolve the issue?
RHWatchdog: RHWatchdog: Hardware Monitoring card reports HW errors.
A. Reseat the power supply to resolve the issue.