Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Not communicating to Event viewer

The event viewer can not communicate to either of my sensors, although the post office port s are the same. The sensors are still talking to the director on that same port..do I .change the post office port for the event viewer and sensors? I get the sync sent but no reply from the sensors.

6 REPLIES
Cisco Employee

Re: Not communicating to Event viewer

The general causes of these situations are 1) configuration, 2) processes not running, or 3) network configurations.

1) configuration

Look at the etc/hosts, etc/organizations, and etc/routes files on both the sensor and the IEV machines. Ensure that the ids used match exactly for the different machines.

2) processes not running

On the sensor execute nrvers and ensure that all processes respond.

On the IEV check the Task Manager and ensure that postofficed is running.

It may also help to restart the sensor and IEV.

NOTE: Starting and stopping the GUI will not stop and start all of the necessary services. Rebooting the IEV box is the easiest way to ensure all the proper services are stopped and restarted.

3) network configuration

In many cases firewalls are setup to block the udp traffic used by postoffice so users have had to open up the firewall port to allow the udp traffic on port 45000 between the sensors and IEV.

You can use the snoop command on the sensor:

IDS-4220/30: snoop -d iprb0 udp

IDS-4210: snoop -d iprb1 udp

The snoop output should show port 45000 udp packets both from the sensor and from the IEV machine.

If you have a sniffer on the same network as IEV you would want to check and ensure that the sensor UDP packets are making it to the IEV box.

If the above doesn't help then please provide the following directly to me:

Contents of etc/hosts, organizations, and routes files on the sensor and IEV.

Output of nrvers and nrconns on the sensor

Output of the following command from the IEV machine:

nrget 10000 ievhost ievorgid 1 DestinationConnectionStatus

Replace ievhostid, and ievorgid with the numerical values for the IEV machine

Execute this from within the bin directory for IEV.

Marco

Community Member

Re: Not communicating to Event viewer

Thanks Marco,

Here's what I have found out. First thing was I hadn't applied my changes when configuring the sensors thru the manager. Once I did that I saw the Event Viewer machine. Happens to be my workstation. The snoop on the sensors show my machine sending the request on port 45000 and the sensor sending it back out to the director instead of my machine. How do I configure the sensors to send to 2 hosts?

Cisco Employee

Re: Not communicating to Event viewer

Follow these instructions in the IDM users guide:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid27

Instructions are after: "To configure remote hosts to receive alarms, follow these steps"

If you are configuring through the Unix Director and not IDM then you will need to add the information for your workstation to the Hosts, Organizations, Routes, and Destinations configurations in the System Files configuration for your sensor.

You will want to add your IEV machine using the above instructions.

If your workstation is using DHCP then you will need to update this every time your workstation ip address changes.

If you are no longer using the Unix Director you can remove the entries for Unix Director.

Community Member

Re: Not communicating to Event viewer

I have added the new IEV machine using the IDM. Removed the old Unix director from that sensor. I can see when I do the snoop -d command on the sensor, traffic from my machine and from the sensor, but in the event viewer, when I look at the device status it still states no sync recvd. I even added a static route on my machine to that sensor. All the services are running and I've rebooted the sensor twice. I can ping the workstation from the sensor.

Cisco Employee

Re: Not communicating to Event viewer

My best guess is a configuration or network issue.

Send me the following to see if it is a configuration issue:

Contents of etc/hosts, organizations, and routes files on the sensor and IEV.

Output of nrvers and nrconns on the sensor

Output of the following command from the IEV machine:

nrget 10000 ievhost ievorgid 1 DestinationConnectionStatus

Replace ievhostid, and ievorgid with the numerical values for the IEV machine

Execute this from within the bin directory for IEV.

Is there a firewall or router between the IEV and your sensor? If so you may need to sniff the network between your firewall/router and IEV to ensure that the firewall/router is letting the UDP port 45000 traffic from the sensor reach your IEV machine.

IT could be that the firewall lets the packets from IEV reach the sensor, but may not be letting the packets from the sensor reach the IEV machine.

Community Member

Re: Not communicating to Event viewer

The sensors iprb0 interface set on the same network as my workstation...

There addresses are 172.25.0.xxx, the workstation is 172.25.4.xxx. No router or firewall in the way, although the default gateway for both is the firewall. I can ping and tracert to each sensor and visa versa. I will try and get you those output files. The command on the IEV machine resulted in a timeout.

I can see when I snoop the interface...sensor192---> 172.25.4.xxx 45000 udp etc

Then directly after that line ..172.25.4.xxx ---> sensor192 45000 udp etc.

Seems like the sensor is seeing a syn and responding, but I don't think my machine is reading it, or the port is opening correctly.

Let me get back to you with those files

93
Views
0
Helpful
6
Replies
CreatePlease to create content