×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cannot Add module to IME "could not verify config username/password"

Unanswered Question
Aug 14th, 2012
User Badges:

All,


I'm having an issue communicating with an AIP-SSM-10 module inside an ASA 5510.  To sum it up: I cannot use the graphical interface to reach the device (ASDM-IDM works - sort of, or IME - my main concern is IME).   This has continued to be a problem with both IME 7.2.1 and the current version IME 7.2.3.
Although I've tried this with IME running on Windows XP, Vista, 7, and Windows Server 2008, the current machine is Windows Server 2003.  The server has Java 1.6.0_31
I have the Java settings (General > Network Settings) set to direct connection
One more piece of history: this was communicating with ASDM-IDM and IME previously.  I had reset the device in IME so I could start over again - exam prep, you know.


The device itself is running IPS-K9-7.0-7-E4.  When I go to add a device in the Home screen and enter the appropriate credentials, it presents me with the SHA and MD-5 fingerprints, to which I say "yes" and after a few seconds it reports


"could not verify config username/password"


If I go to the client-log (in Program Files\Cisco Systems\Cisco IPS Manager Express\log) I see this:
2012-08-14 10:35:05,187 ERROR - [common.ClientSocket] IOException while sending test credentials:Connection refused: connect
java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at com.cisco.iev.common.ClientSocket.sendRequest2Server(ClientSocket.java:36)
at com.cisco.iev.gui.DeviceListCtrl$VerifyThread.run(DeviceListCtrl.java:1506)
2012-08-14 10:35:05,187 ERROR - [gui.DeviceListCtrl] Could not verify config username/password[- IOException: Connection refused: connect. IME IME server is not responding. Please check if it is running.]


The IPS has a Certificate Valid from: 12-Aug-2012 to 13-Aug-2014

I have reinstalled software and Java numerous times.  Often between changes, I've gone to Admin Tools > Services and restarted the MySQL and Cisco IME services.  Sometimes I will get "Error response from IME server: Failed to authorize the user account" instead, but mostly it is as I described above.


Two odd things about this:
First, I can SSH from either an IP address on the IPS management network or the inside network; that is to say, I can SSH to the IPS from the same machines that I cannot get to with IME.  This makes me think both the ACLs and certificate are fine.
I had mentioned ASDM-IDM sort of works.  Well, as it ends up, I can "jump-start" ASDM-IDM by starting an Secure Shell session from the machine with the ASDM software installed, then go back to ASDM and try to connect to the IPS and it will then work.  Before that I get "Error contacting sensor. Error loading sensor" when I try to view or configure the IPS.

I've read these forums quite a bit; I've set the Java runtime parameters anywhere they can be found. 


Still, I would like to get IPS Management Express working, if possible.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
danielbec Thu, 08/16/2012 - 09:13
User Badges:

I had thought so, except that:

It is on the same subnet - even directly connected. 

This is installed on a clean PC (several) with no HTTP proxy,no firewall enabled, no antivirus enabled and no network filtering between the IPS and the IME machine.  In fact, I've a vicim machine (XP, SP2, no firewall, no AV unpatched, to run Megasploit against that meets all these criteria and it still has the same result.

Also, there is this note: "This DDTS only applies to those cases where the error message text is "[null]" - here it says "IOException: Connection refused" in the log and actually now the message is a little different

"Error response from IME server. Failed to authorize the user account"

Same user account allows me to look in ASDM-IDM, though.

rleivaoc Thu, 08/16/2012 - 10:42
User Badges:
  • Cisco Employee,

Can you try to do a packet capture on the ASA, and IPS when trying to access both from the troubled areas of the nextwork? I am thinking this might be a networking problems so where, if not, it might be something to do with the IPS module.


Thanks,


Rafael

danielbec Thu, 08/16/2012 - 11:47
User Badges:

Let me see if I can attach this.  Incidentally, there is just a wire between this workstation (W2k3) and the AIP-SSM management port.  This starts when I launch IME (3 whole packets) and ends when the connection fails).

rleivaoc Thu, 08/16/2012 - 12:03
User Badges:
  • Cisco Employee,

From the capture, it seems that the 10.10.10.3 HP host is sending resets. This could be a application layer problem with the IME, or something on that PC is causing the connection to reset. If this is a clean HP host, then it has to be the IME software causing the problem some how. At this point, I would recommand opening a TAC case.


Thanks,


Rafael

danielbec Tue, 08/21/2012 - 12:55
User Badges:

Well, TAC was not an option for this as it is in a lab environment.  Something I had read got me to thinking about this, so I went back and installed IME as an administrator (again) and then went to the Java control panel > Advanced tab and under General -> security I selected the check box to "Use SSL 2.0 compatible Client Hello format".  I restarted the Java Quick Starter service and was able to add the AIP-SSM-10 back to IME (finally).

Afterwards, I went back and unchecked this box in the Java Control Panel, and launched IME again and I can still access the module via IME.  I'm not going to risk removing and readding it right now as it is the best sensor I've got to practice with for the IPS exam, which, as it ends up, I have to retake.

danielbec Wed, 08/22/2012 - 14:03
User Badges:

So anyway. This was sort of self-answered in the end.  Can I mark this as a "Correct Answer"?  None-the-less, thank you for your help!

Actions

This Discussion

Related Content