Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
4
Replies

ISE 2.3 - Splunk RTC Operation Failing

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎09-18-2017 10:03 PM

When trying to quarantine via the GUI using quarantine by ip address, the operation fails.  It appears there is an extra character at the end of the mac address that causes it to fail.  If I remove the character and enter it in via the CLI, the operation completes successfully. The same error happens if I choose quarantine via IP address too. Is there a bug associated with this, is the add-on not supported with 2.3 or have I configured it incorrectly?  Splunk addon for ISE version is 2.2

Not working and working shown below:

Failed attempt when done via GUI:

2017-09-18 23:00:34,765 [021246] DEBUG    splunk.rest:  simpleRequest < server responded status=200 responseTime=0.0285s

2017-09-18 23:00:34,769 [021246] INFO     root:  keystorePassword=********

2017-09-18 23:00:34,769 [021246] INFO     root:  truststorePassword=********

2017-09-18 23:00:34,769 [021246] DEBUG    root:  sys.argv=['/opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/pxgremediate.py', 'xgridAction=unquarantine', 'xgridType=mac', 'xgridTarget=00-50-56-8D-68-44\\']

2017-09-18 23:00:34,769 [021246] INFO     root:  xgridAction=unquarantine

2017-09-18 23:00:34,769 [021246] INFO     root:  xgridType=mac

2017-09-18 23:00:34,769 [021246] INFO     root:  xgridTarget=00-50-56-8D-68-44\

2017-09-18 23:00:34,769 [021246] INFO     root:  LAUNCHING: java -jar /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/lib/pxGrid_Search.jar ise240.metlab.local ersadmin  /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/splunk-09-2017.jks ********  /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks ******** 00-50-56-8D-68-44\ unquarantine_mac

2017-09-18 23:00:34,974 [021246] INFO     root:  result from java cmd: unable to read keystore. please check the keystore filename and keystore password.

Done from CLI manually. Extra character removed (the \ at the end of the mac address).  Also the error above is confusing.  Should be something more informative.

java -jar /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/lib/pxGrid_Search.jar ise240.metlab.local ersadmin  /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/splunk-09-2017.jks xxxxxx  /opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/certs/caroot1.jks xxxxxx 00-50-56-8D-68-44 unquarantine_mac

23:05:28.835 [Smack Listener Processor (0)] DEBUG com.cisco.pxgrid.GridConnection - associate presence packet received (type=available, from=ersadmin@xgrid.cisco.com)

23:05:29.589 [Thread-0] DEBUG c.c.p.internal.CapabilityManager - refreshing connection state...

23:05:29.590 [Thread-0] DEBUG c.c.p.internal.CapabilityManager - done refreshing connection state.

23:05:29.591 [Thread-0] DEBUG c.c.p.i.s.NotificationHandlerSmack - refreshing connection state...

23:05:29.592 [Thread-0] DEBUG c.c.p.i.s.NotificationHandlerSmack - done refreshing connection state.

23:05:29.796 [main] DEBUG c.c.p.internal.CapabilityManager - subscribed (topic=EndpointProtectionService)

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎09-19-2017 07:35 AM

Hello,

All should be fine.

Have you configured pxGrid remediation through the setup as indicated:How To: Splunk and ISE pxGrid Adaptive Network Control (ANC) Mitigation Workflow Actions , or strictly though the CLI.

We can setup a webex, please send me an email on your availability.

Thanks,

John

(jeppich@cisco.com)

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jeppich
Cisco Employee
Cisco Employee

‎09-19-2017 07:35 AM

Hello,

All should be fine.

Have you configured pxGrid remediation through the setup as indicated:How To: Splunk and ISE pxGrid Adaptive Network Control (ANC) Mitigation Workflow Actions , or strictly though the CLI.

We can setup a webex, please send me an email on your availability.

Thanks,

John

(jeppich@cisco.com)

0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to jeppich

‎09-19-2017 08:05 AM

I am finishing up an appointment and have availability for the rest of the day. I did follow the documentation however I used CA signed certs and not self-signed certs.

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to scamarda

‎09-19-2017 03:15 PM

Hey Sam,

This should not make a difference.

Thanks,

John

jeppich@cisco.com

0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to jeppich

‎09-26-2017 07:20 AM

John,

I was able to get this to display and execute correctly based on the information you showed me about the Splunk workflow settings.  I created the Framed IP instances and also had to restart Splunk after each set of changes that I made.

Thanks for the help

0 Helpful
Customers Also Viewed These Support Documents