Solved: Problem adding CSA external interface in IPS 6

mcvosi · ‎01-21-2007

I configured my AIP-SSM sensor running IPS 6 to connect to the CSA MC, but I get a connection failure. The sensor is showing the following error when trying to connect:

evError: eventId=1168311248090659938 severity=warning vendor=Cisco

originator:

hostId: os-ips

appName: externalProductInterface

appInstanceId: 317

time: 2007/01/20 02:50:22 2007/01/19 20:50:22 GMT-06:00

errorMessage: name=errNotAvailable Failure opening a subscription on the Management Center for Cisco Security Agents external interface at 1.1.1.1: Parse response found a different element when expecting the SOAP Envelope element

mkodali · ‎01-22-2007

If your CSAMC is version 5.0 then can you please set the url to /csamc50/sdee-server and retry after enabling the interface.

thx

Madhu

View solution in original post

mkodali · ‎01-22-2007

Can you please paste your config under service external-product-interface on the server? I am specifically looking for the url you have configured.

thx

Madhu

mcvosi · ‎01-22-2007

The interface is currently disabled, but I think you'll get the picture.

---

cisco-security-agents-mc-settings (min: 0, max: 2, current: 1)

-----------------------------------------------

ip-address: 1.1.1.1

-----------------------------------------------

interface-type: extended-sdee

enabled: no default: yes

url: /csamc/sdee-server

port: 443

use-ssl

-----------------------------------------------

always-yes: yes

-----------------------------------------------

username: adminuser

password:

host-posture-settings

-----------------------------------------------

enabled: yes default: yes

allow-unreachable-postures: yes

posture-acls (ordered min: 0, max: 10, current: 1 - 1 active, 0 inactive)

-----------------------------------------------

ACTIVE list-contents

-----------------------------------------------

NAME: 1-subnet

-----------------------------------------------

network-address: 192.168.1.0/24

action: permit

-----------------------------------------------

watchlist-address-settings

-----------------------------------------------

enabled: yes

manual-rr-increase: 25

session-rr-increase: 25

packet-rr-increase: 10

mkodali · ‎01-22-2007

If your CSAMC is version 5.0 then can you please set the url to /csamc50/sdee-server and retry after enabling the interface.

thx

Madhu

mcvosi · ‎01-22-2007

Ah ha! I missed that. I'm using 5.1 and made the change; it now shows the connection as active.

Thanks!

jplatzer · ‎01-22-2007

This error indicates that the IPS is trying to establish communication with the CSA MC, and the CSA MC is returning an unexpected response.

A couple reasons you may be seeing this error:

1. I noticed that the error message says that the IPS is configured to talk to a CSA MC with the IP address 1.1.1.1. Is this the correct IP address for the MC - I?m thinking that the message?s actual IP address was changed before posting for security reasons?

2. For currently shipping and past versions of CSA MC, the CSA MC?s URL has to be configured in the IPS:

* If the CSA MC is version 5.1 (most likely) then configured the URL to be: /csamc51/sdee-server

* If the CSA MC is version 5.0 then configured the URL to be: /csamc50/sdee-server

* Also, if the CSA MC is version 5.0 then be sure to apply the latest patches to the CSA MC since the unpatched versions had issues that caused communication failures and loss of data.

* Note: The next CSA MC release will eliminate the need to set the URL.

Let me know whether this fixes the problem.

Regards,

Jeff