Splunk Enterprise

Why is Secure Gateway Status Not Connected?

token2
Path Finder

I had the Splunk Cloud Gateway installed before it was standard (Splunk 7.x) and working, with alerts and dashboards accessible from my phone.  I believe during a license update that stripped my account (new terms allows for only one account, so admin) broke it (stopped getting alerts).  Since its a home lab and not prod I didn't dig into it.

Now that I am digging into it, the gateway dashboard is showing this:

token2_0-1627864538134.png

 

SPL:  index=_internal source=*cloud* ERROR AND NOT SUBSCRIPTION

Shows this:

token2_1-1627864586863.png

I can register my device, but it can't see any dashboards, it seems to time out.

There seems to be a vacuum in google as to troubleshooting this except talk of using proxies.  I am not running a proxy.

What could the issue be?

Labels (1)
0 Karma

token2
Path Finder

Additional info from one of the troubleshooting dashboards:

token2_0-1627865345258.png

 

 

0 Karma

joshiro
Communicator

We are having this same issue on Splunk Enterprise 8.2.6 on prem with Splunk Secure Gateway 2.7.4, according to the firewall rules the connection port 443 outbound to the host prod.spacebridge.spl.mobi is allowed.

When we run the following rest command:

| rest "services/ssg/test_websocket" request_type="{\"versionGetRequest\": {}}" request_mode=clientSingleRequest

We get this output:

auth_code_status = 200
completed_client_registration = 0
error = 'token_id'
server_registration_status = 400
splunk_server = server
wss_response = 0


The error traceback in _internal is:

2022-05-09 11:22:58,148 ERROR [rest_base] [__init__] [exception] [4772] Spacebridge error
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/util/helper.py", line 13, in extract_parameter
    result = obj[key]
KeyError: 'self_register'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/base_endpoint.py", line 53, in handle
    res = self.handle_request(request)
  File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/base_endpoint.py", line 86, in handle_request
    return self.post(request)
  File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/registration/saml_registration_handler.py", line 70, in post
    self_register = extract_parameter(request['query'], SELF_REGISTER_LABEL, QUERY_LABEL)
  File "/opt/splunk/etc/apps/splunk_secure_gateway/bin/spacebridgeapp/rest/util/helper.py", line 15, in extract_parameter
    raise Errors.SpacebridgeRestError('Error: Request requires %s parameter "%s"' % (source_name, key), 400)
spacebridgeapp.rest.util.errors.SpacebridgeRestError: Error: Request requires query parameter "self_register"


Did you managed to solve this issue?

Tags (1)
0 Karma

token2
Path Finder

token2_0-1627888284854.png

 

I can delete devices, I can somewhat register a device (error at the end of the process telling me to contact the admin).

token2_1-1627888351169.png

 

Thankfully production doesn't use this, but seems shaky for a built in app.

0 Karma

token2
Path Finder

I had to revert my VM from a snapshot back to Splunk 8.0.1 using Splunk Cloud Gateway instead of Secure Gateway.  It now works, I can register my device and check dashboards.

 

0 Karma

glenp42
Observer

Did you ever get this resolved using SSG? 

I'm having the **exact** same issue with 8.2.x docker in my LAB setup.

0 Karma

token2
Path Finder

Never fixed it, I just restored to an older version of Splunk 7 and forgoing the update to 8.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...