MARS 5.3.5 Auto Signature Update

Unanswered Question
Jul 2nd, 2008
User Badges:

I am having some problems getting my MARS box to perform signature updates automatically.


I have entered in the correct proxy information and such yet when I hit the "Test connectivity" button I immediately get the error "Unable to connect to web server, please check URL, Username and password"


I have the correct username and password in there as I can access the site from a web browser.


Any ideas ? I'm not sure where I can look on the device to get visibility into where its falling over.


Cheers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Wed, 07/02/2008 - 05:18
User Badges:
  • Blue, 1500 points or more

login to the mars cli and try this:


tcpdump -s0 -X port and


where and are the settings configured in Admin->System Parameters->Proxy Settings.


Then try testing and you should see the connection attempt and it should give you an indication of why it failed.

martinwilson Wed, 07/02/2008 - 16:23
User Badges:

Thanks, a great help.


Using TCPDump and examining our ISA proxy logs it looks like the MARS is trying to authenticate to our proxy as anonymous, despite the fact that I have set the proxy settings + username and password within mars.


Seems strange, any ideas ?

mhellman Thu, 07/03/2008 - 06:31
User Badges:
  • Blue, 1500 points or more

What type of authentication is the ISA proxy configured for? If you're not sure, get a trace and look at the "Proxy-Authenticate" HTTP header(s) being retured by the proxy in the "407 proxy auth required" response. It's just a wag, but the Jakarta http client may not like any of the types of authentication being offered up by the proxy (in particular, NTLM wouldn't work).


You could just whitelist the following URL on the ISA proxy server:


https://www.cisco.com/cgi-bin/ida/locator/locator.pl

mhellman Thu, 07/03/2008 - 06:48
User Badges:
  • Blue, 1500 points or more

Nevermind all that. I looked at the connection and it's a direct CONNECT call using basic authentication. I'm curious, what makes you conclude that it's trying to authenticate as "anonymous"?


What you should see is something like this:


CONNECT http://www.cisco.com:443 HTTP/1.1

Authorization: Basic

Proxy-Authorization: Basic

User-Agent: Jakarta.Commons-HttpClient/2.0final

Host: http://www.cisco.com

Proxy-Connection: Keep-Alive

Farrukh Haroon Sun, 07/06/2008 - 03:05
User Badges:
  • Red, 2250 points or more

Just remember that MARS opens two separate connections to the Cisco website, one is HTTP and the other is HTTPS. I hope you have both of those allowed.


Regards


Farrukh

rmeans Wed, 07/09/2008 - 12:26
User Badges:

I am running Mars 4.3. I have my auto update point to Cisco (https://www.cisco.com/cgi-bin/ida/locator/locator.pl). The updates have worked fine until today. For some reason my password in the Mars config became corrupt. After resetting my CCO password in Mars, the Mars IPS updates are working again.

martinwilson Wed, 07/09/2008 - 16:04
User Badges:

Looks like our ISA server is not configured to accept Basic authentication.


I'm not sure if the MARS can be configured to pass any other form of authentication but testing it on a server that accepts basic authentication works no problems.



fbpettis1 Thu, 08/14/2008 - 11:11
User Badges:

I'm having the same problem. Cannot connect to server anymore. Checked and rechecked settings (MARS 4.3.5). Using tcpdump, I can see it talking to the servers (both https & http). It's not my CCO account either. Anyone figure this one out?

Farrukh Haroon Thu, 08/14/2008 - 11:20
User Badges:
  • Red, 2250 points or more

The changed their key or something a while back. Enter the CCO username and password in MARS again and hit 'Update Now'.


Regards


Farrukh

fbpettis1 Thu, 08/14/2008 - 11:39
User Badges:

Tried that, it fails. Says it's beginning download, and to refresh the screen to see the status, but fails after a couple of minutes every time.

Farrukh Haroon Thu, 08/14/2008 - 11:41
User Badges:
  • Red, 2250 points or more

This is through a proxy or a direct connection to the internet?


Regards


Farrukh

Actions

This Discussion