I start this discussion as I think I'm experiencing something really strange with CS-MARS 4.3.1 (build 2600) and Cisco IPS 5.1(6).
I upgraded today our MARS box from 4.2.8 to 4.3.1. And a bit later, I decided to migrate one of our IPS from 4.1 to 5.1.
After all the upgrades, I deleted the old IDS 4.1 from MARS and recreated it. But I can't have MARS to communicate with the IPS! From the MARS box I can "telnet ... 443", I have a response, but MARS complains again and again of being not able to contact the IPS. "Try a telnet ... 443 from the MARS appliance to check if IP connectivity is present" is the message reported by the "View Error" after a "test connectivity" has been issued.
The problem is that I need that first connection to make MARS subscribes to the IPS in order to receive the logs.
I made a try with a 5.1 IPS already present before the upgrade : same result "Can't connect". But as the MARS box subscribed previously to the IPS, the logs are arriving.
I have a similar problem. I did an upgrade right after the 4.3.1 release, I did however not upgrade my IDSM at the same time since it was already at 5.1(6), I got incoming events from the IDSM and didn't take much notice.
But, today I upgraded the IDSM to 6.0(3)E1 and now I get the same error after removing and reconfiguring the IDSM in MARS. I've tried the telnet from MARS and it works fine AND I'm getting events from the IDSM so I guess there is some bug in the detection process.
I am not sure if my issue is related, but I am trying to configure a 2821's IPS into the Cisco MARS. I have tried several different methods, but I believe that I should use the "Cisco IPS 5.x" device type. When I configure it, I get the same error "Try telnet...". I have successfully tested the port via telnet several times.
I have confirmed that I am not getting any events or alerts from the device by running a query for all raw messages from the one IPS.
Am I using the right Device Type?
2821 RTR @ 12.3(14)T7
MARS @ 4.2.8 (2543).
Note - I am currently running MARS with IDSM2 @ 6.0(2)E1, and it is functioning properly. I have tested the "Test Connectivity" and it also works.
When I upgrade the mars to 4.3.1. I've noticed that the mars doesn't received any logs from IPS,ASA and other reporting device. But when I check ASA and IPS, i'm pretty sure that the ASA and IPS were sending syslogs alerts to mars the only problem is the mars could not receive. I can ping the IPS / ASA in the mars console but failed when i test the connectivity/discover in Web Interface.
I also execute the pnstart and pnstatus command in the CLI console.
This is what i get:
Configuration error: host name does not match janus.conf::janusBoxName.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...