topic Re: Threat Data Updates on Devices SI DNS Lists and Feeds - Failure - Reapair Instructions in Network Security

Threat Data Updates on Devices SI DNS Lists and Feeds - Failure

kostasthedelegate — Fri, 21 Feb 2020 17:33:40 GMT

Hello,

Has anyone encountered the below error?

Threat Data Updates on Devices SI DNS Lists and Feeds - Failure

I have asa with sfr(6.2.3.6) and after upgrade to 6.4.0.4 i get this error.

Any hints?

Thanks and regards,

Konstantinos

Re: Threat Data Updates on Devices SI DNS Lists and Feeds - Failure

kostasthedelegate — Mon, 07 Oct 2019 06:11:29 GMT

Hello,

I tried this command and it was successful.

admin@Firepower:~
sudo curl -vvk https://tools.cisco.com

It is the same channel with the other updates, right?

What might be wrong?

Regards,

Konstantinos

Re: Threat Data Updates on Devices SI DNS Lists and Feeds - Failure - Reapair Instructions

Marvin Rhoads — Sun, 19 Apr 2020 03:42:42 GMT

Sorry for the late reply but hopefully this will be of use to others encountering the problem. It seems to affect 6.4.x and 6.5.x (as recent as 6.5.0.4).

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs82369

My recent but limited experience with 6.6 hasn't shown it to be an issue there so far.

The workaround is a bit lacking in details:

Workaround:
Manually edit /ngfw/etc/sf/connector.properties on all failing devices and set connector_fqdn to the region defined in /ngfw/var/tmp/tds-cloud-events.json on that device.

Here's a more thorough explanation:

1. Log into the device(s) reporting the problem in FMC.

2. Change to expert mode and then sudo to su (superuser, aka "root").

3. Inspect the files "/ngfw/var/tmp/tds-cloud-events.json" and "/ngfw/etc/sf/connector.properties".

4. Make a backup of /ngfw/etc/sf/connector.properties

5. Edit /ngfw/etc/sf/connector.properties to add the value from the region variable in the json file to the "connector_fqdn=" line. (vi is built into RHEL so just vi the file, switch to insert mode with i, add the text, esc to command mode and then :wq to write and quit).

6. Verify your changes are as expected.

7. Wait a few minutes and the alarm should clear in FMC. No restart, deployment or other changes should be necessary.

> expert
**************************************************************
NOTICE - Shell access will be deprecated in future releases
         and will be replaced with a separate expert mode CLI.
**************************************************************
admin@fw1:~$ cd /ngfw/var/tmp
admin@fw1:/ngfw/var/tmp$ ls -al | grep tds
-rw-r--r--  1 root root   140 Apr 18 16:00 tds-cloud-events.json
-rw-r--r--  1 root root   351 Apr 19 02:34 tds_health.status
admin@fw1:/ngfw/var/tmp$ cat tds-cloud-events.json 
{
   "events" : {
      "connection" : 0,
      "file" : 0,
      "intrusion" : 0
   },
   "csd" : "1",
   "region" : "api-sse.cisco.com"
}
admin@fw1:/ngfw/var/tmp$ cd /ngfw/etc/sf/
admin@fw1:/ngfw/etc/sf$ cat connector.properties 
registration_interval=180
connector_port=8989
connector_fqdn=
region_discovery_endpoint=https://api-sse.cisco.com/providers/sse/api/v1/regions
admin@fw1:/ngfw/etc/sf$ 
admin@fw1:/ngfw/etc/sf$ sudo su -

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: 
root@fw1:~# pwd
/root
root@fw1:~# cd /ngfw/etc/sf
root@fw1:sf# cp connector.properties connector.properties.old
root@fw1:sf# vi connector.properties
root@fw1:sf# cat connector.properties
registration_interval=180
connector_port=8989
connector_fqdn=api-sse.cisco.com
region_discovery_endpoint=https://api-sse.cisco.com/providers/sse/api/v1/regions
root@fw1:sf# cat /ngfw/etc/sf/connector.properties
registration_interval=180
connector_port=8989
connector_fqdn=api-sse.cisco.com
region_discovery_endpoint=https://api-sse.cisco.com/providers/sse/api/v1/regions
root@fw1:sf#

Re: Threat Data Updates on Devices SI DNS Lists and Feeds - Failure - Reapair Instructions

Solutionary — Tue, 23 Feb 2021 16:43:29 GMT

Marvin, but what about sensors (7000-8000 series) giving this same health alert.

I looked in /etc/sf and /var/tmp since NGFW is not a directory on the sensors, but did not see these files.

I did find the health status that does show a failure, but no indications of what failed, when I go into the /var/sf/ directory and reviewing the files in iprep_download, sidns_download, they appear to be up to date.

:/var/tmp# more tds_health.status
{
"modules" : {
"Siurl" : "Success",
"ThreatConf" : "Success",
"SHAList" : "Success",
"Siip" : "Failure",
"Clam" : "Success",
"CloudEvents" : "Success",
"Sidns" : "Failure",
"Bcdb" : "Success",
"DynamicAnalysis" : "Success"
},
"timestamp" : 1614091171
}

Re: Threat Data Updates on Devices SI DNS Lists and Feeds - Failure - Reapair Instructions

Marvin Rhoads — Tue, 23 Feb 2021 18:35:16 GMT

I checked my 3D7125 running 6.4.0.10 and it does not appear to have a connector.properties anywhere.

You might have to open a TAC case to resolve that one.

Re: Threat Data Updates on Devices SI DNS Lists and Feeds - Failure - Reapair Instructions

rohan.govindjiwala1 — Thu, 01 Apr 2021 12:07:51 GMT

Hello Marvin,

thanks for you explanation, i am also getting similar alerts on my FMC.I have verified region and connector_fqdn filed on FTD but they seems to be okay, could you please suggest further.Below are logs for your reference.

XXXX:/ngfw/var/tmp$ cat tds-cloud-events.json
{
"events" : {
"connection" : 1,
"file" : 1,
"prioritizedConnection" : 0,
"intrusion" : 1
},
"csd" : "0",
"region" : "api.eu.sse.itd.cisco.com"
}

XXXX:/ngfw/etc/sf$ cat connector.properties
registration_interval=180
connector_port=8989
connector_fqdn=api.eu.sse.itd.cisco.com
region_discovery_endpoint=https://api-sse.cisco.com/providers/sse/api/v1/regions

Re: Threat Data Updates on Devices SI DNS Lists and Feeds - Failure - Reapair Instructions

Marvin Rhoads — Thu, 01 Apr 2021 17:02:26 GMT

If you have verified the settings (as as you noted) and continue to have the error, I suggest opening a TAC case to investigate and resolve the issue.

Re: Threat Data Updates on Devices SI DNS Lists and Feeds - Failure - Reapair Instructions

rohan.govindjiwala1 — Fri, 02 Apr 2021 09:31:14 GMT

Okay Marvin, will do the same. Thanks for your response.

Re: Threat Data Updates on Devices SI DNS Lists and Feeds - Failure -

tiwang — Wed, 01 May 2024 05:42:03 GMT

hi Marvin

I just updateed our FTD's all over the world to 7.2.6 due to this security-flaw CSCwj10955 - and after that i have got this error in some regions - our FMC is located in northern Europe - and the FTD is in China.

Since the update the FTD in China has a warning "SI URL Lists and Feeds - failure"

If i look for similar configs like those just showen in this chat i have:
cat tds-cloud-events.json
{
"csd" : "0",
"events" : {
"connection" : 0,
"file" : 0,
"connection_all" : 0,
"intrusion" : 0
},
"csn" : {
"has_been_asked_to_participate" : "1",
"cisco_success_network" : "1",
"is_sse_enrolled_first_use" : "1"
},
"region" : "api.eu.sse.itd.cisco.com",
"ltp" : null
}

This of course worries me a bit that the region is defined to something in europe and not asia but on the other hand it doesnt look as if the is a connectivity problme - curl connects fine:
curl -vvk https://api.eu.sse.itd.cisco.com
* Trying 18.158.186.55...
* TCP_NODELAY set
* Connected to api.eu.sse.itd.cisco.com (18.158.186.55) port 443 (#0)
* successfully set FIPS mode: 0
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* successfully set FIPS mode: 0
* successfully set FIPS mode: 0
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* successfully set FIPS mode: 0
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Jose; O=Cisco Systems Inc.; CN=api.eu.sse.itd.cisco.com
* start date: Feb 29 16:52:10 2024 GMT
* expire date: Feb 28 16:51:10 2025 GMT
* issuer: C=US; O=IdenTrust; OU=HydrantID Trusted Certificate Service; CN=HydrantID Server CA O1
* SSL certificate verify ok.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: api.eu.sse.itd.cisco.com
> User-Agent: curl/7.61.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 403 Forbidden
< Date: Wed, 01 May 2024 05:32:30 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 9
< Connection: keep-alive
< Keep-Alive: timeout=5
< ETag: "6615b447-9"
< Cache-Control: no-store
< Pragma: no-cache
< Content-Security-Policy: default-src https: ;
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains
<
* Connection #0 to host api.eu.sse.itd.cisco.com left intact

Any ideas - suggestions?