PxGrid to Stealthwatch Odd Connection Display

kkaminsk · ‎11-27-2019

Hi Folks,

I am running a POC using ISE 2.4 latest patch with Stealthwatch 7.1 patched with patches 1 and 2.

I am seeing a Green good connection in Stealthwatch, but in ISE it is showing offline. Certificates are set for auto approval.

The log in pxgrid says it subscribed OK and connected.

Any tips on troubleshooting the issue?

Damien Miller · ‎11-27-2019

Seems like an odd question but just to confirm, are you looking at the correct view? Pxgrid v1 connections are displayed in the all connections tab, while pxgrid v2 connections are showed in the web clients tab.

kkaminsk · ‎11-29-2019

Hi Damien,

Stealthwatch 7 uses Pxgrid v1 still behind the scenes according to John Eppich's guide. On the All Clients tab I am seeing the smc connection as offline. I should see it online. I am getting a screenshot of the Web clients but I did see what looked like a good connection there in the dialogue.

Is there a troubleshooting doc available?

Damien Miller · ‎11-29-2019

Ah sorry, got ahead of myself there, you are correct, ignore the web clients. I'm not aware of a tshoot guide but you can do a few easy things to get started.

From the primary pxgrid node cli you can run "tech netstat | include 5222" and see if the connection is established or not.

You could also tcpdump from the ise gui. You won't be able to read anything from the pcap since tcp 5222 is encrypted, but it would indicate if there is at least anything flowing or if it's one way etc.

Lastly and what may be most useful. You could enable pxgrid debugs through the logging page in the gui. The logs are available to download through the gui as well, there are a few for pxg.