Push error for subscription_Errno 60 Operation timed out

Helmi0001 · ‎07-18-2013

Hello expert,

Sorry if my question is not related to CiscoESA/WSA.

I just want to confirm whether it's ArcSight or Cisco issue.

Scenario:

- All logs/events from all devices including Cisco ESA/WSA are shown in ArcSight Manager/Logger with no issue, however I received below contents in email:

“Log Error: Push error for subscription Authentication_arcsight: Failed to connect to 128.247.95.248: [Errno 60] Operation timed out

Last message occurred 9 times between Thu Jul 4 19:16:47 2013 and Thu Jul 4 19:26:49 2013.”

128.247.95.248 is Arcsight SmarConnector Appliance, which is to collect events from all/Cisco devices.

Please advise.

Thanks & regards,

srussell · ‎07-18-2013

Hi Nor,

It sounds to me like there are network communications issues preventing your ESA/WSA from connecting to your syslog server. This could be a routing issue, DNS issue, firewall, or IDS/IPS issue preventing this communication.

If your syslog server accepts TCP connections over default port 514 you could attempt the following test from the CLI of the ESA/WSA to test communication:

telnet #syslog server ip address# 514

If you receive a connection refused or it times out this indicates an issue listed above.

Regards,

Steve

Content Security Technical Services - RTP, NC

Cisco Customer Interaction: 1-800-553-2447

Helmi0001 · ‎07-18-2013

Many thanks Steve.

If I'm not mistaken, we are using FTP Push for log retrieval method. Our ArcSight Manager & Logger are able to show the logs/events from both Cisco devices, no issue.

So, does it related to network commmunication since ArcSight able to collect the logs/events from the Cisco devices?

Previously we are using SCP, but ArcSight can't collect the logs, so we change to FTP. However, we keep receiving above email error message everyday.