IDS - TLS handshake incomplete

Unanswered Question
May 31st, 2007

Hello guys,

i'm system administrator for a small company and i'm experiencing a strange behaviour on 1 of my 4 IDS 4235 sensor running 4.1.(5)S252 .Two of them are on the external (toward internet) and 2 of them are on the internal network. They are all managed by IDSMC 2.1 and CiscoWorks 2.1. At the moment the one on the inside cannot be reached with IEV with the following errors:

evError: eventId=1089392073211120283 severity=error

originator:

hostId: sensor-1-int

appName: cidwebserver

appInstanceId: 1634

time: 2007/05/31 15:27:23 2007/05/31 17:27:23 cet

errorMessage: name=errUnclassified srvcReq protoErr: unexpected_message [10,0]

evError: eventId=1089392073211120284 severity=error

originator:

hostId: sensor-1-int

appName: cidwebserver

appInstanceId: 1331

time: 2007/05/31 15:27:23 2007/05/31 17:27:23 cet

errorMessage: name=errTransport WebSession::sessionTask(3) TLS connection exception: handshake incomplete.

Googling around i noticed similar behaviour under SSL DOS attack but my logs are a little bit different, so i think and HOPE that is not a dos.

In the mean time i thank you and give my best regards waiting for some feedback

simone

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
rhermes Thu, 05/31/2007 - 11:06

Assuming you have connectivity between your VMS and sensor, try deleteing and re-adding the sensor in VMS. This has fixed this problem for me.

attmidsteam Fri, 06/01/2007 - 13:12

You may want to upgrade to at least 5.1(x) as there is no longer signature support for 4.x sensors.

That aside, a cert expiration on the sensor can result in a failed TLS handshake. Re-importing as the previous poster noted will give you a much better perspective of what the problem may be

Hope this helps

simonecarbonara Wed, 06/06/2007 - 01:22

Yeah,

and in fact i did this opearation and it brings to the same behaviour. Thank you all guys for the support.

I'll probably need to upgrade my sensor to the new IPS version, but this is dependant to my old VMS version 2.2 and OS machine with windows 2000. So as far as i know i should upgrade windows 2000 to 2003 and then update VMS to the lastest version and then upgrade sensors to be imported with 5.x version to the new VMS version(2.3?)Is that correct?

thank you all

simone

rhermes Wed, 06/06/2007 - 11:50

I'm running VMS 2.3 with the latest patches on several Windows 2000 server boxes with 5.x sensors.

Actions

This Discussion