Problem with discovery of an IPS 6.x device

toadpit · ‎06-11-2008

I'm having a problem with discovery of an IPS 4240 running 6.1(1)E1 device on a MARS 20 running 4.3.2. The "Test Connectivity" function returns the following error:

PN-0001:PnLogger message map not initialized

along with a suggestion to verify access by running telnet to port 443 from the MARS CLI (which I've done and it works just fine). I'm receiving events from the IPS just fine, but have an incomplete topology map because of the failed discovery.

I suspected it might have been a certificate validation issue and have regenerated the cert on the IPS and manually validated the new fingerprint on the MARS, and I've tried setting the "name" of the IPS device on the MARS to match the subject of the cert (which seems to be the IP address of the IPS rather than its hostname) to no avail.

Any troubleshooting tips appreciated.

Farrukh Haroon · ‎06-11-2008

Try the following:

Configuration >> Sensor Setup >> Certifcates >> Trusted Hosts >> Add

Add the MARS finger-print there.

Command Line is " tls trusted-host" I think.

Also make sure the MARS box in the the:

Configuration >> Sensor Setup >> Allowed Hosts

A simple way to check this is that the MARS can ping the IPS.

The last option would be to run a detailed log I guess.

Regards

Farrukh

toadpit · ‎06-11-2008

The MARS box was already in the Allowed Hosts, but it's now a Trusted Host as well. Discovery still fails with the same error.

If I run a tcpdump from the MARS I can actually see the TCP connection come up between the MARS and IPS, exchange data, then go away gracefully.

Is there any way I can get more details information out of the MARS? I've set logging on the "discovery" service to TRACE level but it gives me nothing new. I also can't see anything useful in a diagnostic report on the IPS.

Thanks for your help so far.

Farrukh Haroon · ‎06-11-2008

Could it be a support issue?

This is the reaason why I did not upgrade to 6.1.x on any of our clients. Officially the support is only till 6.0.x.

Have a look at this:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.3/compatibility/local_controller/dtlc43x.html

Regards

Farrukh

toadpit · ‎06-11-2008

Ah, I hadn't realised MARS 4.3 didn't support IPS 6.1. It could well be a support issue. Thanks for the link.

I would be nice to see a more definitive error message from something, though.

Might need to look at downgrading the IPS.

Farrukh Haroon · ‎06-11-2008

Ok let us know how it goes :)

Regards

Farrukh

Farrukh Haroon · ‎06-11-2008

It seems the bug you are facing is a cosmetric one only, just add the 6.1 sensor and it should work, have a look at:

http://blog.crimsonsilo.com/2008/05/ips-61-cs-mars-534-issue/

Please rate helpful posts.

Regards

Farrukh

toadpit · ‎06-11-2008

Thanks, Farrukh, your help has been invaluable.

I looked up the bug id from the blog post (CSCsq07003) in the bug toolkit and there's a workaround to fix the failing connectivity test too.

edit - Hmm.. now that I've rated your post I seem to have missed the chance to flag it as resolving the issue. Doh.

Farrukh Haroon · ‎06-11-2008

No problem with that :)

The important thing is that you have it working now (or will do soon)

Regards

Farrukh