Archive

Cisco IPS Connecting error

Engager

I can access the IPS without issue through Cisco IPS Manager Express (IME) and can connect to the IPS from telnet. But why I get this error?

sdee_get.log :

Wed Oct 24 14:53:10 2012 - INFO - Checking for exsisting SubscriptionID on host: 10.42.12.20
Wed Oct 24 14:53:10 2012 - INFO - No exsisting SubscriptionID for host: 10.42.12.20
Wed Oct 24 14:53:10 2012 - INFO - Attempting to connect to sensor: 10.42.12.20
Wed Oct 24 14:53:10 2012 - INFO - Successfully connected to: 10.42.12.20
Wed Oct 24 14:53:11 2012 - ERROR - Connecting to sensor - 10.42.12.20: URLError: urlopen error [Errno 10061] No connection could be made because the target machine actively refused it

Splunk Employee
Splunk Employee

Another problem that can cause this is over-subscribed devices. IPS devices generally have a default subscription limit of 5. Here is one article that details enumerating sessions. We've seen this happen both from stale subscriptions and separately other teams/technologies polling the IPS device.

0 Karma

Path Finder

hi,

Modifying the bin/pysdee/pySDEE.py and changing the SSLv3 version to TLSv1 helped solve my problem, as was explained here

http://answers.splunk.com/answers/105193/cisco-ips-error-errno-8.html

and here:

http://blog.hortonew.com/splunk-ciscoips-app-no-longer-pulls-from-ips
Hope it helps you, too

I.

New Member

Hello,

I have a similar problem and the splunk is in the Allowed host, I can ping the IPS and get de XML with no problem from the splunk.

Mon Feb 23 13:03:07 2015 - INFO - Checking for exsisting SubscriptionID on host: 10.201.158.23
Mon Feb 23 13:03:07 2015 - INFO - No exsisting SubscriptionID for host: 10.201.158.23
Mon Feb 23 13:03:07 2015 - INFO - Attempting to connect to sensor: 10.201.158.23
Mon Feb 23 13:03:07 2015 - INFO - Successfully connected to: 10.201.158.23
Mon Feb 23 13:03:08 2015 - ERROR - Connecting to sensor - 10.201.158.23: URLError: urlopen error [Errno 104] Connection reset by peer>

What can it be?

0 Karma

This is a late response but thought I'd post it for others that might be experiencing the same problem.

You have to permit the Splunk box to connect on the IPS device. You can do this by re-running the setup from the command line or by clicking Sensor Setup > Allowed Hosts/Networks > Add in IME or IDM.

Path Finder

I agree with Dave. Make sure you can ping and make https connections to the IPS appliance from the Splunk server. If you confirm connectivity and you are still having an issue, please let us know.

0 Karma

SplunkTrust
SplunkTrust

I believe that you have to allow the IP that the script is running from to connect to the IPS somewhere in the IME. That is, the sensor needs to be told to allow connections from the Splunk box. Wish I could tell you where in the config.

HTH,

Dave

0 Karma