I am having some problems getting my MARS box to perform signature updates automatically.
I have entered in the correct proxy information and such yet when I hit the "Test connectivity" button I immediately get the error "Unable to connect to web server, please check URL, Username and password"
I have the correct username and password in there as I can access the site from a web browser.
Any ideas ? I'm not sure where I can look on the device to get visibility into where its falling over.
login to the mars cli and try this:
tcpdump -s0 -X port
Then try testing and you should see the connection attempt and it should give you an indication of why it failed.
Thanks, a great help.
Using TCPDump and examining our ISA proxy logs it looks like the MARS is trying to authenticate to our proxy as anonymous, despite the fact that I have set the proxy settings + username and password within mars.
Seems strange, any ideas ?
What type of authentication is the ISA proxy configured for? If you're not sure, get a trace and look at the "Proxy-Authenticate" HTTP header(s) being retured by the proxy in the "407 proxy auth required" response. It's just a wag, but the Jakarta http client may not like any of the types of authentication being offered up by the proxy (in particular, NTLM wouldn't work).
You could just whitelist the following URL on the ISA proxy server:
Nevermind all that. I looked at the connection and it's a direct CONNECT call using basic authentication. I'm curious, what makes you conclude that it's trying to authenticate as "anonymous"?
What you should see is something like this:
CONNECT http://www.cisco.com:443 HTTP/1.1
Just remember that MARS opens two separate connections to the Cisco website, one is HTTP and the other is HTTPS. I hope you have both of those allowed.
Good point, I only saw the https connection...possibly because this is just the first call to find out if there are any updates and there weren't. In any event, the second request looks something like this:
I am running Mars 4.3. I have my auto update point to Cisco (https://www.cisco.com/cgi-bin/ida/locator/locator.pl). The updates have worked fine until today. For some reason my password in the Mars config became corrupt. After resetting my CCO password in Mars, the Mars IPS updates are working again.
Looks like our ISA server is not configured to accept Basic authentication.
I'm not sure if the MARS can be configured to pass any other form of authentication but testing it on a server that accepts basic authentication works no problems.
I'm having the same problem. Cannot connect to server anymore. Checked and rechecked settings (MARS 4.3.5). Using tcpdump, I can see it talking to the servers (both https & http). It's not my CCO account either. Anyone figure this one out?
The changed their key or something a while back. Enter the CCO username and password in MARS again and hit 'Update Now'.
Tried that, it fails. Says it's beginning download, and to refresh the screen to see the status, but fails after a couple of minutes every time.