Splunk Dev

Cisco IPS Connecting error

dx50
Engager

I can access the IPS without issue through Cisco IPS Manager Express (IME) and can connect to the IPS from telnet. But why I get this error?

sdee_get.log :

Wed Oct 24 14:53:10 2012 - INFO - Checking for exsisting SubscriptionID on host: 10.42.12.20
Wed Oct 24 14:53:10 2012 - INFO - No exsisting SubscriptionID for host: 10.42.12.20
Wed Oct 24 14:53:10 2012 - INFO - Attempting to connect to sensor: 10.42.12.20
Wed Oct 24 14:53:10 2012 - INFO - Successfully connected to: 10.42.12.20
Wed Oct 24 14:53:11 2012 - ERROR - Connecting to sensor - 10.42.12.20: URLError: urlopen error [Errno 10061] No connection could be made because the target machine actively refused it

bwooden
Splunk Employee
Splunk Employee

Another problem that can cause this is over-subscribed devices. IPS devices generally have a default subscription limit of 5. Here is one article that details enumerating sessions. We've seen this happen both from stale subscriptions and separately other teams/technologies polling the IPS device.

0 Karma

ilirb
Path Finder

hi,

Modifying the bin/pysdee/pySDEE.py and changing the SSLv3 version to TLSv1 helped solve my problem, as was explained here

http://answers.splunk.com/answers/105193/cisco-ips-error-errno-8.html

and here:

http://blog.hortonew.com/splunk-ciscoips-app-no-longer-pulls-from-ips
Hope it helps you, too

I.

paguayof
New Member

Hello,

I have a similar problem and the splunk is in the Allowed host, I can ping the IPS and get de XML with no problem from the splunk.

Mon Feb 23 13:03:07 2015 - INFO - Checking for exsisting SubscriptionID on host: 10.201.158.23
Mon Feb 23 13:03:07 2015 - INFO - No exsisting SubscriptionID for host: 10.201.158.23
Mon Feb 23 13:03:07 2015 - INFO - Attempting to connect to sensor: 10.201.158.23
Mon Feb 23 13:03:07 2015 - INFO - Successfully connected to: 10.201.158.23
Mon Feb 23 13:03:08 2015 - ERROR - Connecting to sensor - 10.201.158.23: URLError: urlopen error [Errno 104] Connection reset by peer>

What can it be?

0 Karma

strumpowertsc
Engager

This is a late response but thought I'd post it for others that might be experiencing the same problem.

You have to permit the Splunk box to connect on the IPS device. You can do this by re-running the setup from the command line or by clicking Sensor Setup > Allowed Hosts/Networks > Add in IME or IDM.

andrew_garvin
Path Finder

I agree with Dave. Make sure you can ping and make https connections to the IPS appliance from the Splunk server. If you confirm connectivity and you are still having an issue, please let us know.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

I believe that you have to allow the IP that the script is running from to connect to the IPS somewhere in the IME. That is, the sensor needs to be told to allow connections from the Splunk box. Wish I could tell you where in the config.

HTH,

Dave

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...