CS-MARS 4.3.1 and Cisco IPS 5.1(6)

Unanswered Question
Sep 27th, 2007
User Badges:

Hello everyone,


I start this discussion as I think I'm experiencing something really strange with CS-MARS 4.3.1 (build 2600) and Cisco IPS 5.1(6).


I upgraded today our MARS box from 4.2.8 to 4.3.1. And a bit later, I decided to migrate one of our IPS from 4.1 to 5.1.


After all the upgrades, I deleted the old IDS 4.1 from MARS and recreated it. But I can't have MARS to communicate with the IPS! From the MARS box I can "telnet ... 443", I have a response, but MARS complains again and again of being not able to contact the IPS. "Try a telnet ... 443 from the MARS appliance to check if IP connectivity is present" is the message reported by the "View Error" after a "test connectivity" has been issued.


The problem is that I need that first connection to make MARS subscribes to the IPS in order to receive the logs.


I made a try with a 5.1 IPS already present before the upgrade : same result "Can't connect". But as the MARS box subscribed previously to the IPS, the logs are arriving.


Does someone else have this strange behaviour ?


Regards,

Jean-Fran?ois Gobin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hoffa2000 Fri, 09/28/2007 - 00:58
User Badges:

I have a similar problem. I did an upgrade right after the 4.3.1 release, I did however not upgrade my IDSM at the same time since it was already at 5.1(6), I got incoming events from the IDSM and didn't take much notice.

But, today I upgraded the IDSM to 6.0(3)E1 and now I get the same error after removing and reconfiguring the IDSM in MARS. I've tried the telnet from MARS and it works fine AND I'm getting events from the IDSM so I guess there is some bug in the detection process.


/Fredrik

michaelwoolfe Fri, 09/28/2007 - 06:27
User Badges:

I am not sure if my issue is related, but I am trying to configure a 2821's IPS into the Cisco MARS. I have tried several different methods, but I believe that I should use the "Cisco IPS 5.x" device type. When I configure it, I get the same error "Try telnet...". I have successfully tested the port via telnet several times.

I have confirmed that I am not getting any events or alerts from the device by running a query for all raw messages from the one IPS.

Am I using the right Device Type?



2821 RTR @ 12.3(14)T7

MARS @ 4.2.8 (2543).


Note - I am currently running MARS with IDSM2 @ 6.0(2)E1, and it is functioning properly. I have tested the "Test Connectivity" and it also works.

mailho Mon, 10/15/2007 - 18:58
User Badges:

Hi

I experienced the same things.

now I am recovering the mars's image that is version 4.3.1(2600).

I will post a message next.

maybe it's a bug....

hello,

When I upgrade the mars to 4.3.1. I've noticed that the mars doesn't received any logs from IPS,ASA and other reporting device. But when I check ASA and IPS, i'm pretty sure that the ASA and IPS were sending syslogs alerts to mars the only problem is the mars could not receive. I can ping the IPS / ASA in the mars console but failed when i test the connectivity/discover in Web Interface.

I also execute the pnstart and pnstatus command in the CLI console.


This is what i get:


[pnadmin]$ pnstart

[pnadmin]$ pnstatus

Configuration error: host name does not match janus.conf::janusBoxName.

Please contact Cisco for support.

[pnadmin]$


Any ideas about this?...


Carlou

jfgobin01 Tue, 01/22/2008 - 04:18
User Badges:

Hello Carlou,


This behaviour (not able to discover https devices) is mentionned in the Release Notes. Fortunately, the next version (4.3.2) is out and corrects this.


How do you poll your ASA devices ? Syslog or https ? If you sniff the traffic on the port your CS-MARS is connected to, do you see anything ?


Don't forget to click on "activate". In the latest version, it turns to red to indicate you need to, but in the previous ones, you have to remember it.


Kind regards and hope it helps,

Jean-François (And moving to New York this month).

Actions

This Discussion