topic Re: Cisco IPS Connecting error in Splunk Dev

Cisco IPS Connecting error

dx50 — Wed, 24 Oct 2012 08:00:20 GMT

I can access the IPS without issue through Cisco IPS Manager Express (IME) and can connect to the IPS from telnet. But why I get this error?

sdee_get.log :

Wed Oct 24 14:53:10 2012 - INFO - Checking for exsisting SubscriptionID on host: 10.42.12.20
Wed Oct 24 14:53:10 2012 - INFO - No exsisting SubscriptionID for host: 10.42.12.20
Wed Oct 24 14:53:10 2012 - INFO - Attempting to connect to sensor: 10.42.12.20
Wed Oct 24 14:53:10 2012 - INFO - Successfully connected to: 10.42.12.20
Wed Oct 24 14:53:11 2012 - ERROR - Connecting to sensor - 10.42.12.20: URLError: urlopen error [Errno 10061] No connection could be made because the target machine actively refused it

Re: Cisco IPS Connecting error

dshpritz — Wed, 24 Oct 2012 14:48:06 GMT

I believe that you have to allow the IP that the script is running from to connect to the IPS somewhere in the IME. That is, the sensor needs to be told to allow connections from the Splunk box. Wish I could tell you where in the config.

HTH,

Dave

Re: Cisco IPS Connecting error

andrew_garvin — Thu, 25 Oct 2012 17:44:12 GMT

I agree with Dave. Make sure you can ping and make https connections to the IPS appliance from the Splunk server. If you confirm connectivity and you are still having an issue, please let us know.

Re: Cisco IPS Connecting error

strumpowertsc — Mon, 05 May 2014 16:14:46 GMT

This is a late response but thought I'd post it for others that might be experiencing the same problem.

You have to permit the Splunk box to connect on the IPS device. You can do this by re-running the setup from the command line or by clicking Sensor Setup > Allowed Hosts/Networks > Add in IME or IDM.

Re: Cisco IPS Connecting error

paguayof — Mon, 23 Feb 2015 16:20:38 GMT

Hello,

I have a similar problem and the splunk is in the Allowed host, I can ping the IPS and get de XML with no problem from the splunk.

Mon Feb 23 13:03:07 2015 - INFO - Checking for exsisting SubscriptionID on host: 10.201.158.23
Mon Feb 23 13:03:07 2015 - INFO - No exsisting SubscriptionID for host: 10.201.158.23
Mon Feb 23 13:03:07 2015 - INFO - Attempting to connect to sensor: 10.201.158.23
Mon Feb 23 13:03:07 2015 - INFO - Successfully connected to: 10.201.158.23
Mon Feb 23 13:03:08 2015 - ERROR - Connecting to sensor - 10.201.158.23: URLError: urlopen error [Errno 104] Connection reset by peer>

What can it be?

Re: Cisco IPS Connecting error

ilirb — Tue, 07 Apr 2015 12:41:39 GMT

hi,

Modifying the bin/pysdee/pySDEE.py and changing the SSLv3 version to TLSv1 helped solve my problem, as was explained here

http://answers.splunk.com/answers/105193/cisco-ips-error-errno-8.html

and here:

http://blog.hortonew.com/splunk-ciscoips-app-no-longer-pulls-from-ips
Hope it helps you, too

Re: Cisco IPS Connecting error

bwooden — Tue, 07 Apr 2015 13:14:58 GMT

Another problem that can cause this is over-subscribed devices. IPS devices generally have a default subscription limit of 5. Here is one article that details enumerating sessions. We've seen this happen both from stale subscriptions and separately other teams/technologies polling the IPS device.