Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA MC receives events from unkown hosts

Hi NetPros,

we are running a CSA MC (5.1) in a test environment.

At the moment I am receiving a lot of events from unkown hosts.

does anyone know, why they are unkown, and how to determine which host(s) sent these events?

we have 4 server with inactive agent - is it possible that these are the unkonwn servers?

any help appreciated

best regargs

juergen bauer

8 REPLIES
Blue

Re: CSA MC receives events from unkown hosts

Hi Jurgen. Do you have host discovery enabled? What type of messages are you getting?

Tom

New Member

Re: CSA MC receives events from unkown hosts

i'm not sure if host discovery is enabled. will check that next week.

and for the events: we receive all kinds of events: same event - some with valid host - some with host unknown?!

thanks

juergen

Blue

Re: CSA MC receives events from unkown hosts

Let me get this straight (I can be a bit dense at times...):

Is it the source or the destination host that's unknown?

Could you also paste an alert without any identifying info?

Tom

New Member

Re: CSA MC receives events from unkown hosts

source is unknown. attached screenshot.

thanks and best regards

juergen

New Member

Re: CSA MC receives events from unkown hosts

I've seen this when a host drops out of communication with the MC. Also, after a host has been deleted, the database will propagate with these type of alerts. Basically, the alerts cannot correlate to a specific host, so that field will be filled with 'unknown.'

*EDIT* You can see that HV-BRZ-APP02 in the user field of one of the unknowns. Then, 8 days later, it produces an alert with the correct host information. I'm running 5.1.0.91 and all those problems stopped for me. I don't know if you have the ability to update your hosts, but it might be advisable.

New Member

Re: CSA MC receives events from unkown hosts

Response from Cisco:

"This is not a bug but an annoying behaviour.

A cosmetic enhancement request has been opened to change this behaviour ( CSCse93361 ) and has been integrated in CSA 5.2."

Happens when:

- host inactive more than 30 days -> host will be deleted

- when the host reconnects it reregisters and send old events with new ID(why that?)

sounds weird and btw. none of our hosts was inactive for 30 days or longer.

anyway. check if we can upgrade the mc. the agents have to be upgraded as well? do I have to reboot all the hosts after the upgrade (I guess - can someone confirm this?)

Best regards

juergen

Blue

Re: CSA MC receives events from unkown hosts

Hosts can unregister for various reasons (none of which I can figure out with any certainty).

They usually have corresponding events in the CSALOG.TXT files on the host and MC and they may also have errors in the Windows event log.

They will store all CSA events in CSALOG.TXT until they can find the MC again and regurgitate them.

If you do upgrade the MC:

The agents will need to be upgraded.

They don't HAVE to restart after the upgrade, but they will run the old agent until they do.

Tom

New Member

Re: CSA MC receives events from unkown hosts

Hi Juergen,

A CSA-MC will ignore any csa agent that was not build by that CSA-MC. So chances are you install the agent build by that csa-mc. Unless you are play with the pki encryption of the agent kit.

147
Views
10
Helpful
8
Replies