Inactive CS-MARS Reporting Device

Unanswered Question
Jul 9th, 2010
User Badges:

Hello,


I have a MARS version 6.0 and have some problems with the Switchs Catalyst 6500, since long time ago those devices reporting every activity to the MARS but in these days the devices do not report to the mars, I check the config and i do not see nothing stranger, the mars show the following message:


"Cisco MARS detected an inactive reporting device that has not reported any event to MARS in the last hour. This may indicate that the device is not functioning properly"


But with the ASA and the Router it´s everything fine, and these devices can report to the mars. I think that the client did some changes but i can not see nothing.


I uploaded some files that show the config of devices in to the mars

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 07/10/2010 - 01:44
User Badges:
  • Cisco Employee,

Cat6k doesn't normally generate as many syslog messages as ASA or routers, so it shouldn't be a problem.

You might want to check if the Cat6k itself is generating any syslog messages at all, and if the syslog is being sent towards MARS, OR/ it could potentially be issue with path between the Cat6k and MARS (maybe routing, or firewall that might block the syslog packets)?

Scott Fringer Mon, 07/12/2010 - 03:55
User Badges:
  • Cisco Employee,

Katherine;


  Something else to check is that the Catalyst 6500s are still sourcing their syslog messages from the same IP address configured within CS-MARS.  If the messages come from a different reporting IP address, the CS-MARS will not associate them with the expected Catalyst 6500.  You can ensure syslog messages are sent from the same source IP every time by configuring the 'logging source-interface ' on each switch.


  To troubleshoot if the syslog messages are arriving at the CS-MARS you can perform the following test:


- login to the CS-MARS CLI

- initiate a tcpdump for one of the affected Catalyst switches:


[pnadmin]$ tcpdump host and port 514


- on the Catalyst enter and then exit configuration mode, this should generate a syslog message to the CS-MARS


  You should see output on the screen if the syslog message arrives as expected.  If there are no messages received, either the switch is incorrectly configured or something in the communication path is blocking the messages as Jennifer discussed.  If the message does arrive, it may simply be that the event rate on the Catalyst is less than once per hour (the lower rate Jennifer referenced) and the inactive reporting device message is generated.


Scott

kathy-kat Tue, 07/20/2010 - 11:20
User Badges:

Hi,


The client have a fwsm, but the communication between 6500 and FWSM are permit ip from mars to the devices. I followed you advice and this is the answer that mars receive from one of 6509:



[pnadmin]$ tcpdump host 10.1.206.100 and port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:35:28.958892 IP 10.1.206.100.57400 > cmars-cadivi.syslog: UDP, length 108
13:36:08.667250 IP 10.1.206.100.57400 > cmars-cadivi.syslog: UDP, length 108


2 packets captured
17 packets received by filter
0 packets dropped by kernel



Regards,

Scott Fringer Wed, 07/21/2010 - 04:55
User Badges:
  • Cisco Employee,

That indicates the 6500 with IP address 10.1.206.100 is correctly communicating with the CS-MARS; you should have matching raw messages within the CS-MARS.


For the 6500 to not be reported as an inactive reporting device, it will need to send syslog messages during the hour period that CS-MARS monitors.  As Jennifer previously indicated, Catalyst switches and Cisco routers do not regularly send large amounts of syslog messages and could go more than one hour between messages, in which case CS-MARS would report that device as inactive.  You will need to monitor the Catalyst to verify it is sending syslog messages to CS-MARS at least once per hour to verify whether it is "active" or "inactive".


Scott

kathy-kat Thu, 07/29/2010 - 13:17
User Badges:

Thanks Scott,


But i have some question, How I do that the devices reporting every hour?

Scott Fringer Thu, 07/29/2010 - 16:16
User Badges:
  • Cisco Employee,

That's not an easy thing, and will likely involve monitoring the logging

of each device to get a feel for their reporting interval.


You can look for past logs by issuing 'sh logg' on the CLI of the

switch/router and check the timestamps. The other option is to monitor

the logging live and when a log message is generated on the CLI of the

router/switch verify the same message arrives at the CS-MARS by having

tcpdump already running on the CS-MARS CLI. From there you can perform

a raw message query for the specific switch/router on the CS-MARS and

verify the same raw message is present in the CS-MARS GUI.


Scott

kathy-kat Fri, 08/20/2010 - 08:22
User Badges:

Hello Scott,



Excuse me for answer too late, in fact when i see the logs, I can see that the mars can receive the logs, but i do not know why the mars`s wed admin does not appear the same logs that I can see in the console.


I could remenber that the Cat 6509 can send the message to mars, but always appear like INACTIVE REPORTING DEVICE, but if It Turn off the Cat 6509,  in the wed admin of MARS i could see a report that said that the Cat 6509 had been turn off.

Best Regards,


Kat

Actions

This Discussion