Cisco SNA (Stealthwatch) error

SDhaliwal — Mon, 01 Apr 2024 21:39:24 GMT

I'm in the process of configuring SNA Manager and flow collectors and applying the Best practice guide. I've enabled FIPS mode and Common Criteria Encryption libraries on SNA Flow collectors after uploading the correct certs to both SNA Manager and flow collectors. As soon as both of the flow collectors came back up, both of the flow collectors have Config channel down appliance status. I haven't enabled FIPS on SNA Manager yet in fear that I might get the same error.

Questions I have

- Do I need to enable FIPS mode on SNA manager to get the connected appliance status on flow collectors?

- Is there a way to disable FIPS mode from console?

Thanks

-S

Re: Cisco SNA (Stealthwatch) error

wajidhassan — Fri, 11 Jul 2025 16:00:40 GMT

You're absolutely right to proceed cautiously with enabling FIPS mode and Common Criteria libraries on Cisco Secure Network Analytics (SNA) — especially when working with multiple appliances like Flow Collectors and the Manager (SMC).

Based on your situation:

You’ve enabled FIPS mode on both Flow Collectors

You have not yet enabled FIPS mode on the SNA Manager

The Flow Collectors show "Config channel down"

You're concerned about losing comms with the SMC if you enable FIPS there

Let's address your questions directly.

Q1: Do I need to enable FIPS mode on the SNA Manager to get the flow collectors connected again?
Yes.
FIPS mode changes the underlying TLS encryption requirements, and all appliances in the SNA deployment must match the encryption mode for the Config Channel (control channel) to work properly.

If FIPS is enabled only on Flow Collectors, but not on the SMC, you’ll get:

Config channel down or TLS handshake failure errors

To fix this:

You must also enable FIPS mode on the SMC so it uses the same crypto libraries as the Flow Collectors

All connected components (FCs, FTDs, UDP Directors, etc.) must match the FIPS setting of the SMC

Q2: Is there a way to disable FIPS mode from the console (CLI)?
No — not directly or easily.
Once FIPS mode is enabled on SNA appliances (Manager or Collectors), it cannot be disabled via CLI or UI. It is considered a one-way operation, per Cisco's security model.

Disabling FIPS requires a reimage of the appliance.

This is by design for compliance with Common Criteria and FIPS 140-2 certification standards. Once enabled, it hardens the system, disables non-FIPS cryptography, and enforces stricter crypto policies.

What Should You Do Now?
Safe path forward:
Back up your SNA Manager config (if not already).

Enable FIPS mode on the SNA Manager:

Either via the GUI under System → Configuration → Security

Or via the CLI using:

bash
Copy
Edit
sudo /lancope/bin/configure_fips_mode.sh --enable
Reboot the SMC

Once the SMC comes back up in FIPS mode, the Flow Collectors should reconnect and the Config Channel should come back up.

Optional: Validate Status After Enabling FIPS
Check FIPS mode on each appliance:

bash
Copy
Edit
cat /etc/system-fips
Check status of the Config Channel:

bash
Copy
Edit
sudo /lancope/bin/queryApplianceStatus.sh
Or from the SMC GUI:

Go to Central Management > Appliances

Look for “Connected” or “Config channel down” under Appliance Status

Summary
Question Answer
Do I need to enable FIPS on the SNA Manager for flow collectors to connect? ✅ Yes — all components must match encryption mode
Can I disable FIPS from the CLI? ❌ No — requires full reimage
Will enabling FIPS on SMC bring back config channel? ✅ Yes, if certs and crypto settings match

topic Re: Cisco SNA (Stealthwatch) error in Security Analytics

Cisco SNA (Stealthwatch) error

Re: Cisco SNA (Stealthwatch) error