FMC Warnings

benolyndav — Fri, 13 May 2022 08:36:52 GMT

Cab anyone tell me whats causing the below please and possible fix . also below warnings are some tests I ran which were succesful

Thanks

May 13 07:29:36 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [INFO] The curl option for ip verify_peer=1 verifyhost=0

May 13 07:29:36 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [INFO] List 8527413e-6167-11e1-a8bf-e99ce99bfdf1 being updated up_freq: 0 need_update: 0

May 13 07:29:36 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [INFO] SF List Sourcefire_Intelligence_Feed being updated

May 13 07:29:36 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [WARN] DownloadFile: Download failure. Retries remaining: 2

May 13 07:29:37 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [WARN] DownloadFile: Download failure. Retries remaining: 1

May 13 07:29:38 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [WARN] Download unsucessful: SSL peer certificate or SSH remote key was not OK

May 13 07:29:38 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [WARN] Cannot download 8527413e-6167-11e1-a8bf-e99ce99bfdf1

May 13 07:29:38 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [INFO] The curl option for dns verifypeer=1 verifyhost=0

May 13 07:29:38 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:URLDNS [INFO] List 43d5bee1-bd7d-4fe3-a1dd-1101181aed48 being updated up_freq: 0 need_update: 0

May 13 07:29:38 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:URLDNS [INFO] SF URL/DNS List Cisco_DNS_Intelligence_Feed being updated

May 13 07:29:39 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [WARN] DownloadFile: Download failure. Retries remaining: 2

May 13 07:29:40 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [WARN] DownloadFile: Download failure. Retries remaining: 1

May 13 07:29:41 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [WARN] Download unsucessful: SSL peer certificate or SSH remote key was not OK

May 13 07:29:41 CFMC-01 SF-IMS[12342]: [12363] CloudAgent:IPReputation [WARN] Cannot download 43d5bee1-bd7d-4fe3-a1dd-1101181aed48

---------------------------------------------------------------------------------------------------

admin@CFMC-01:~$ sudo ping intelligence.sourcefire.com

PING intelligence.sourcefire.com (198.148.79.58) 56(84) bytes of data.

64 bytes from intelligence.sourcefire.com (198.148.79.58): icmp_req=1 ttl=47 time=99.1 ms

64 bytes from intelligence.sourcefire.com (198.148.79.58): icmp_req=2 ttl=47 time=98.6 ms

64 bytes from intelligence.sourcefire.com (198.148.79.58): icmp_req=3 ttl=47 time=100 ms

64 bytes from intelligence.sourcefire.com (198.148.79.58): icmp_req=4 ttl=47 time=98.5 ms

64 bytes from intelligence.sourcefire.com (198.148.79.58): icmp_req=5 ttl=47 time=98.9 ms

64 bytes from intelligence.sourcefire.com (198.148.79.58): icmp_req=6 ttl=47 time=99.5 ms

64 bytes from intelligence.sourcefire.com (198.148.79.58): icmp_req=7 ttl=47 time=98.0 ms

--- intelligence.sourcefire.com ping statistics ---

7 packets transmitted, 7 received, 0% packet loss, time 6000ms

rtt min/avg/max/mdev = 98.099/99.087/100.598/0.794 ms

---------------------------------------------------------------------------------------------------------------------------

admin@CFMC-01:~$ sudo telnet intelligence.sourcefire.com 443

Trying 198.148.79.58...

Connected to intelligence.sourcefire.com.

Escape character is '^]'.

--------------------------------------------------------------------------------------------------------------------------------

admin@CFMC-01:~$ sudo nslookup intelligence.sourcefire.com

Non-authoritative answer:

Name: intelligence.sourcefire.com

Address: 198.148.79.58

Name: intelligence.sourcefire.com

Address: 2620:28:c000:0:aba:ca:daba:58

Re: FMC Warnings

Rob Ingram — Fri, 13 May 2022 08:42:28 GMT

@benolyndav does your FMC trust the root certificate in use?

Are you decrypting the SSL traffic?

Re: FMC Warnings

benolyndav — Fri, 13 May 2022 09:15:06 GMT

@benolyndav does your FMC trust the root certificate in use?

Trust what Root Cert ? which one do I look for ??

Are you decrypting the SSL traffic?

Default SSL policy do not decrypt

Re: FMC Warnings

Rob Ingram — Fri, 13 May 2022 11:15:52 GMT

@benolyndav the root certificates of intelligence.sourcefire.com. You can open that URL in a browser to determine the root certificates and then check the FMC to determine if you have the certificates.

What version of FMC/FTD are you running?

Has this ever worked or a new issue?

Re: FMC Warnings

benolyndav — Fri, 13 May 2022 11:49:51 GMT

Hi Rob

Version 6.6.5

and yes I started noticing the warning message a while ago but was advised it was a bug, now im not sure

I do see the identTrust certs in Cisco trusted ca groups although I dont see the HydrantID cert which I see in the chain when i browse to the site.??

Re: FMC Warnings

Marvin Rhoads — Fri, 13 May 2022 16:21:48 GMT

In addition to what @Rob Ingram correctly noted, there's also a Field Notice advising customers on this issue:

https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72332.html

Re: FMC Warnings

benolyndav — Tue, 17 May 2022 11:17:04 GMT

Thanks Marvin

topic Re: FMC Warnings in Network Security

FMC Warnings

Re: FMC Warnings

Re: FMC Warnings

Re: FMC Warnings

Re: FMC Warnings

Re: FMC Warnings

Re: FMC Warnings

Re: FMC Warnings