All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

rc=-1 err=-96 Connection error with Check Point OSPEC LEA app 2.0.2

jbsplunk
Splunk Employee
Splunk Employee
‎05-29-2013 01:17 PM

I recently installed the Splunk Add-on for Check Point OSPEC LEA application (2.0.2), and when I attempt to Add a New Connection I get this UI error when Pulling the Certificate

Manage Connections: New Connection > Pull Certificate > SIC Details

/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh: ../opsec-tools/opsec_pull_cert: rc=-1 err=-96 Connection error

What gives?

Reply
1 Solution
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎05-29-2013 01:33 PM

This can happen when you've configured the App to use the wrong Server address. Below are some things you can try if that isn't the case:

  1. The App does not have the correct IP address of the Check Point manager

    (which can either be the IP adrresss of the CMA, CLM, or Standalone mgmt depending on where the FW admin has directed you to pull logs from)

  2. The host name is not resolvable to the correct IP address

    (make sure the OS of Forwarder can resolve all local IP addresses assigned to NIC's)

  3. The host of that IP address is unreachable. (use netcat to determine if ports 18184 and 18210 are open to Splunk)

    nc -z CKPT_mgmt.domain.com 18184
    -AND-
    nc -z CKPT_mgmt.domain.com 18210

18184/tcp: is used to retrieve FW/AUDIT logs from the Check Point API
18210/tcp: is used for a one time connection to pull the certificate

View solution in original post

Reply
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎05-29-2013 01:33 PM

This can happen when you've configured the App to use the wrong Server address. Below are some things you can try if that isn't the case:

  1. The App does not have the correct IP address of the Check Point manager

    (which can either be the IP adrresss of the CMA, CLM, or Standalone mgmt depending on where the FW admin has directed you to pull logs from)

  2. The host name is not resolvable to the correct IP address

    (make sure the OS of Forwarder can resolve all local IP addresses assigned to NIC's)

  3. The host of that IP address is unreachable. (use netcat to determine if ports 18184 and 18210 are open to Splunk)

    nc -z CKPT_mgmt.domain.com 18184
    -AND-
    nc -z CKPT_mgmt.domain.com 18210

18184/tcp: is used to retrieve FW/AUDIT logs from the Check Point API
18210/tcp: is used for a one time connection to pull the certificate

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...