Splunk Enterprise

Why did Secure Gateway stopped working (status "not connected") few min after setup?

gdigrego
Path Finder

Hello,

I am looking for a solution to send Splunk alerts to Splunk mobile application. So far I was using the "Splunk Cloud Gateway" splunkbase on my Splunk lab (standalone Splunk VM) which was based on Splunk 8.0.x. Since I wanted to upgrade recently to Splunk 8.2.4, I needed to also move to the "embedded" Splunk Secure Gateway app.

Since I did not needed the former indexed data, I decided to remove Splunk 8.0 and do a fresh install of 8.2.4 (no upgrade on Splunk side nor migration from Cloud Gateway to Secure Gateway). After "opt-in" for Secure Gateway, the gateway managed to stay "connected" for a duration of ~10 minutes (I can see "ping-pong" messages in Secure Gateway logs/_internal index). But it stopped suddenly to work (status in dashboard is now desperately showing  "not connected") ...

Last "ping-pong" exchange is the following one:

gdigrego_0-1644594734792.png

This was "today morning " at 0:20 AM (twenty past midnight, 10 minutes after gateway optin/config).

On the errors side, the first one ever I can see is this one (7 min before 0:20 AM):

gdigrego_1-1644595387898.png

Then this one when it stopped the "ping-pong" traffic (at 0:20 AM):

gdigrego_2-1644595445812.png

 And then such ones:

gdigrego_3-1644595507328.png

 

I've checked all the logs of the gateway, enabled DEBUG traces, analyzed the python code, checked these errors, changed the "timeouts" for bigger values in the app conf file, looked at the "Troubleshooting sections" of the doc ... but I could not find yet why it suddenly stopped to work.

To be complete, I am running on a lab VM (2 vCPU, 8GB of RAM) (which is under the prereq "specs", I know) and with SSL self-sign certificate generated by Splunk when I changed the server settings to use HTTPS. I am behind a Sophos UTM 9.7 which is protecting my home network and I've made a rule to disable filtering (like SSL scanning etc) for URLs that ends by *.spl.mobi 

Would you have any directions or clues for fixing that connectivity issue?

Thanks in advance 

 

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...