We get this message with MARS but the two devices, both Cisco IDS 4.0, are both up and functioning. We are able to discover the device via MARS, but no logs will come in. We know the IDS's are logging because we can see them on the box themselves as well as sending them to another product. It just stopped during the day last week, no events were going on. Now every hour, we get this error.
I have tried rebooting the MARS, deleting and adding the devices to the MARS, and booting the IDS's themselves. Still nothing. Any help will be appreciated.
It has been a while since I used IDS 4.0, so this may not be relevant. In addition I am going off of memory here. MARS 'discovery' with the IPS uses RDEP. When MARS pulls the actual data from the IDS, MARS uses SSL. It might be that your IDS SSL certificates need to be regenerated.
IIRC how it was explained to me, these are systems which either have not sent (via syslog) or have not generated events to be pulled (SSDE). We get this a lot and devices traditionally classisfied as inactive are remote routers, access level switches, and the such due to relative absence of log worthy events. We have IPS modules which MARS picks up events and I have never seen then classified as inactive.
I am not familiar with the IDS 4.0 product, does it push to MARS or does MARS pull? Event though MARS classifies as inactive, have you performed a manual search query for events, Query type: Event Raw Messages, filtering on the devices in order to validate?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...