07-02-2008 12:43 AM
I am having some problems getting my MARS box to perform signature updates automatically.
I have entered in the correct proxy information and such yet when I hit the "Test connectivity" button I immediately get the error "Unable to connect to web server, please check URL, Username and password"
I have the correct username and password in there as I can access the site from a web browser.
Any ideas ? I'm not sure where I can look on the device to get visibility into where its falling over.
Cheers.
07-02-2008 05:18 AM
login to the mars cli and try this:
tcpdump -s0 -X port
where
Then try testing and you should see the connection attempt and it should give you an indication of why it failed.
07-02-2008 04:23 PM
Thanks, a great help.
Using TCPDump and examining our ISA proxy logs it looks like the MARS is trying to authenticate to our proxy as anonymous, despite the fact that I have set the proxy settings + username and password within mars.
Seems strange, any ideas ?
07-03-2008 06:31 AM
What type of authentication is the ISA proxy configured for? If you're not sure, get a trace and look at the "Proxy-Authenticate" HTTP header(s) being retured by the proxy in the "407 proxy auth required" response. It's just a wag, but the Jakarta http client may not like any of the types of authentication being offered up by the proxy (in particular, NTLM wouldn't work).
You could just whitelist the following URL on the ISA proxy server:
07-03-2008 06:48 AM
Nevermind all that. I looked at the connection and it's a direct CONNECT call using basic authentication. I'm curious, what makes you conclude that it's trying to authenticate as "anonymous"?
What you should see is something like this:
CONNECT http://www.cisco.com:443 HTTP/1.1
Authorization: Basic
Proxy-Authorization: Basic
User-Agent: Jakarta.Commons-HttpClient/2.0final
Host: http://www.cisco.com
Proxy-Connection: Keep-Alive
07-06-2008 03:05 AM
Just remember that MARS opens two separate connections to the Cisco website, one is HTTP and the other is HTTPS. I hope you have both of those allowed.
Regards
Farrukh
07-07-2008 09:32 AM
Good point, I only saw the https connection...possibly because this is just the first call to find out if there are any updates and there weren't. In any event, the second request looks something like this:
http://software-sj.cisco.com/cisco/ciscosecure/ips/csmars/IPS-CS-MARS-Sig-S342.zip
07-09-2008 12:26 PM
I am running Mars 4.3. I have my auto update point to Cisco (https://www.cisco.com/cgi-bin/ida/locator/locator.pl). The updates have worked fine until today. For some reason my password in the Mars config became corrupt. After resetting my CCO password in Mars, the Mars IPS updates are working again.
07-09-2008 04:04 PM
Looks like our ISA server is not configured to accept Basic authentication.
I'm not sure if the MARS can be configured to pass any other form of authentication but testing it on a server that accepts basic authentication works no problems.
08-14-2008 11:11 AM
I'm having the same problem. Cannot connect to server anymore. Checked and rechecked settings (MARS 4.3.5). Using tcpdump, I can see it talking to the servers (both https & http). It's not my CCO account either. Anyone figure this one out?
08-14-2008 11:20 AM
The changed their key or something a while back. Enter the CCO username and password in MARS again and hit 'Update Now'.
Regards
Farrukh
08-14-2008 11:39 AM
Tried that, it fails. Says it's beginning download, and to refresh the screen to see the status, but fails after a couple of minutes every time.
08-14-2008 11:41 AM
This is through a proxy or a direct connection to the internet?
Regards
Farrukh
08-14-2008 11:52 AM
Direct connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide