Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
7
Replies

VMS Monitor problems

Go to solution
jeffrimj
Level 1
Level 1

‎06-20-2003 07:27 AM - edited ‎03-09-2019 03:45 AM

Hi there,

I have just installed VMS as we want to monitor and confiure our IDS's using this.

I installed it the "Correct Cisco way" That is putting the monitor on one Sever and the IDS Managament Consol on the other.

I have manually added in all the sensors into the Management consol, but when I look at the Monitor->Device Status, all the 76 Sensors that I have added there says its "not connected".

I used the option that the monitor should pick up the Postoffice protocols from the sensors.

I can PIng the sensors, ssh o the sensor, etc, etc, etc But that darn thing is still showing that it is "Not Connected"

Where do I start to trouble shoot?

Thanks a ton

Mike

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ywadhavk
Cisco Employee
Cisco Employee
In response to jeffrimj

‎06-30-2003 07:40 AM

Hi Mike,

You got the answer right there in your post. The sensors should be pointing to the Security Monitor box and not the MC as the events are sent to the SecMon and the Postoffice runs between the sensors and the SecMon.

Log onto the sensor as root and run sysconfig-sensor, option 6 and enter the SecMon details for the IDS Manager part of this config.

Thanks,

yatin

View solution in original post

0 Helpful
7 Replies 7

Go to solution
ywadhavk
Cisco Employee
Cisco Employee

‎06-20-2003 11:02 AM

Hi Mike,

What version are these sensors on? The 3.x version are the Postoffice based sensors. If they are 4.0, then they should be RDEP category.

Are these sensors added into the Security Monitor? Is that where they show "not connected"

How about from the IDSMC --> Configuration-->From TOC, select the sensor------> Settings--> Identification---> Query. Does it without any error?

Thanks,

yatin

0 Helpful

Go to solution
jeffrimj
Level 1
Level 1
In response to ywadhavk

‎06-23-2003 08:44 AM

Hi there, the IDS version is 3.1(2)S28 so it should use PostOffice Protocol. When I added the sensor to the Monitor, I ticked the box that says Discover PostOffice Settings using SSH: . I gave the correct User Name and password. So it should pick up the correct PostOffice settings, just in case someone changed the default port 45000.

I See the Not connected in the Monitor under " Monitor---> Device Status "

You see when I added it I get no problems at all, BUT all the sensor under this menu shows that they are not connected.

I configured the access list on the sensors to allow for the monitor to speak to it, and can ssh from the monitor to the sensor, so it rules out a connectivity problem.

I also see no problems on the IDSMC ---> Configuration-->From TOC, select the sensor------> Settings--> Identification---> Query.

It comes up with the correct details of the sensor.

Thanks for helping

Mike

0 Helpful

Go to solution
ywadhavk
Cisco Employee
Cisco Employee
In response to jeffrimj

‎06-23-2003 09:04 AM

The "Not Connected" status is most likely a miss-match config on the PostOffice parameters, e.g. the host id, org id, org name, etc.

Please check the same on the sensor by getting into sysconfig-sensor, option 6.

Match that with the info from

Security Monitor---> Admin----->SystemConfiguration----->Postoffice settings.

If the parameters are correct, then delete the sensro and add itt back into the Security Monitor by specifying the Postoffice parameters rather than trying to disconver them.

Thanks,

yatin

0 Helpful

Go to solution
jeffrimj
Level 1
Level 1
In response to ywadhavk

‎06-30-2003 06:46 AM

Hi Yatin

I checked the Post Office Parameters, they all seem fine on the Monitor.

The thing on the sensors are that they are all pointing to the MC. Is there a setting on the IDS's that I can set to say that it should communicate with the Monitor as well?

You see the thing is that we set up VMS with Cisco's recomendation, that is to put the MC on one Box and the Monitor on the other. I have tested it by putting both the monitor as well as the MC on the same box and it works. But when I put them on different boxes they seemed to be messed up.

Thanks

Mike

0 Helpful

Go to solution
ywadhavk
Cisco Employee
Cisco Employee
In response to jeffrimj

‎06-30-2003 07:40 AM

Hi Mike,

You got the answer right there in your post. The sensors should be pointing to the Security Monitor box and not the MC as the events are sent to the SecMon and the Postoffice runs between the sensors and the SecMon.

Log onto the sensor as root and run sysconfig-sensor, option 6 and enter the SecMon details for the IDS Manager part of this config.

Thanks,

yatin

0 Helpful

Go to solution
jeffrimj
Level 1
Level 1
In response to ywadhavk

‎07-01-2003 07:04 AM

Great stuff !!!!

It works !!! Its connected and it works.

But now I am abit confused, How does the Sensors now know that it is managed by the VMS MC that is sitting on a different server ???

Thanks a ton

0 Helpful

Go to solution
ywadhavk
Cisco Employee
Cisco Employee
In response to jeffrimj

‎07-01-2003 01:28 PM

The sensor doesn't have to know what box is managing it. The MC server needs to know though as any config changes are initiated from the MC to the sensor.

Hope that helps,

Thanks,

yatin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents