I have a MARS version 6.0 and have some problems with the Switchs Catalyst 6500, since long time ago those devices reporting every activity to the MARS but in these days the devices do not report to the mars, I check the config and i do not see nothing stranger, the mars show the following message:
"Cisco MARS detected an inactive reporting device that has not reported any event to MARS in the last hour. This may indicate that the device is not functioning properly"
But with the ASA and the Router it´s everything fine, and these devices can report to the mars. I think that the client did some changes but i can not see nothing.
I uploaded some files that show the config of devices in to the mars
Cat6k doesn't normally generate as many syslog messages as ASA or routers, so it shouldn't be a problem.
You might want to check if the Cat6k itself is generating any syslog messages at all, and if the syslog is being sent towards MARS, OR/ it could potentially be issue with path between the Cat6k and MARS (maybe routing, or firewall that might block the syslog packets)?
Something else to check is that the Catalyst 6500s are still sourcing their syslog messages from the same IP address configured within CS-MARS. If the messages come from a different reporting IP address, the CS-MARS will not associate them with the expected Catalyst 6500. You can ensure syslog messages are sent from the same source IP every time by configuring the 'logging source-interface ' on each switch.
To troubleshoot if the syslog messages are arriving at the CS-MARS you can perform the following test:
- login to the CS-MARS CLI
- initiate a tcpdump for one of the affected Catalyst switches:
[pnadmin]$ tcpdump host and port 514
- on the Catalyst enter and then exit configuration mode, this should generate a syslog message to the CS-MARS
You should see output on the screen if the syslog message arrives as expected. If there are no messages received, either the switch is incorrectly configured or something in the communication path is blocking the messages as Jennifer discussed. If the message does arrive, it may simply be that the event rate on the Catalyst is less than once per hour (the lower rate Jennifer referenced) and the inactive reporting device message is generated.
The client have a fwsm, but the communication between 6500 and FWSM are permit ip from mars to the devices. I followed you advice and this is the answer that mars receive from one of 6509:
[pnadmin]$ tcpdump host 10.1.206.100 and port 514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:35:28.958892 IP 10.1.206.100.57400 > cmars-cadivi.syslog: UDP, length 108 13:36:08.667250 IP 10.1.206.100.57400 > cmars-cadivi.syslog: UDP, length 108
2 packets captured 17 packets received by filter 0 packets dropped by kernel
That indicates the 6500 with IP address 10.1.206.100 is correctly communicating with the CS-MARS; you should have matching raw messages within the CS-MARS.
For the 6500 to not be reported as an inactive reporting device, it will need to send syslog messages during the hour period that CS-MARS monitors. As Jennifer previously indicated, Catalyst switches and Cisco routers do not regularly send large amounts of syslog messages and could go more than one hour between messages, in which case CS-MARS would report that device as inactive. You will need to monitor the Catalyst to verify it is sending syslog messages to CS-MARS at least once per hour to verify whether it is "active" or "inactive".
Excuse me for answer too late, in fact when i see the logs, I can see that the mars can receive the logs, but i do not know why the mars`s wed admin does not appear the same logs that I can see in the console.
I could remenber that the Cat 6509 can send the message to mars, but always appear like INACTIVE REPORTING DEVICE, but if It Turn off the Cat 6509, in the wed admin of MARS i could see a report that said that the Cat 6509 had been turn off.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :