Cisco IME "Exception when initializing the SSL"

Urfan Khaliq · ‎01-05-2011

Hi All,

I have two questions that I would like some help with please.

1)

I am trying to log onto our ASA-SSM-10 IPS sensor via the Cisco IME client and I get the following error "Exception when initializing the SSL"

I have tried generating new SSL keys on the ASA-SSM-10 with the tls generate-key command but this has not helped.

Can any one advise on how to resolve this problem?

2)

The second question I had was is it possible to use the Cisco IME client to monitor remote sensors? In other words we have two sites and each site has a pair of SSM-10 sensors and we are currently managing them via the Cisco IME client on each site. Can we use either IME client on either site to see all four sensors?

Thanks in advance for your time

Scott Fringer · ‎01-13-2011

Urfan;

To answer your questions:

1. This is sometimes seen when the connection between the IME system and the sensor traverses a proxy server, or if IME is not run as an administrative user.

2. IME can monitor any sensor to which it has constant connectivity, so it should be possible to monitor all four sensors from a single IME system. Things to keep in mind:

if there is a VPN connection between sites that is not always up, IME will not be able to retrieve events from the sensor causing gaps in event logs
if there is a network outage between the IME system and remote sensor, event retrieval will be interrupted

Scott

Urfan Khaliq · ‎01-13-2011

Hi Scott,

Thanks for the reply...issue one was resolved by re-installing the client and java

With regards to issue 2...The is no vpn etc between the two sites and the link is deffinately up...When I try to add the opposite sites sensors to the IME client I get the error "IOException when try to get certificate: connect timed out"

Any ideas what this might be?

Thanks

Urfan

EDIT: I have just noticed that the two sites are running different IPS software versions....one site is running 7.0(4)E4 on the IPS and the other site is running 6.0(6)E3.... Both sites are running 8.2(1)11 on the ASA's though...

Scott Fringer · ‎01-13-2011

Urfan;

Can you connect to the remote sensor via IDM (the built-in GUI):

https://

Other things to check:

remote sensor access-list allows IME station's IP address
there is no firewall policy denying access
there is no layer-3 ACL denying access

Scott

Urfan Khaliq · ‎01-13-2011

Hi Scott thanks for the quick reply

I cannot get to the sensor via https remote as you suggested and ive checekd the firewall and its deffo letting https through so not the firewall and not any network outage/connectivity either...

How can I check for remote sensor access-list allows IME station's IP address? I am currently logged onto the sensor via the local IME client...

Thanks

Urfan

Scott Fringer · ‎01-13-2011

Urfan;

Within IME navigate to:

Configuration>Sensor Setup>Allowed Hosts/Networks

You will see a list of allowed networks/hosts.

Scott

Urfan Khaliq · ‎01-13-2011

Hi Scott,

Yes the networks are allowed so its not the sensor blocking it either

Could the difference in software between the two sites and their sensors play a part? Ive noticed that one site is running 6.0 and the other site is running the latest 7.0 on the sensors?

Urfan

Scott Fringer · ‎01-13-2011

Urfan;

What version of IME is being used?

IME 7.0 can monitor IPS 6.0 sensors, but cannot perform configuration.

IME 6.0 cannot monitor/manage IPS 7.0 sensors.

Is there any sort of proxy server between the IME system and the remote sensors?

Scott

Urfan Khaliq · ‎01-13-2011

Hi Scott,

We are using IME 7.0.3 which is the latest version I believe. There is also no proxy in between

Urfan

Scott Fringer · ‎01-13-2011

Urfan;

That you cannot connect using IDM (via the https method) indicates a connectivity issue between the IME system and the remtoe IPS. You will need to troubleshoot the connection between the two devices. You may need to perform packet captures at various points along the path to verify the expected traffic is passing each point.

You can make use of the IPS CLI's packet display command to monitor incoming connections from your remote system:

sensor# packet display gigabitethernet0/0 expression port 443

You may want to include only the IP address of the IME system to eliminate the local IME connections from the output. Use ctrl-c or q to exit the packet display.

Scott

Urfan Khaliq · ‎01-13-2011

Hi Scott,

Thanks for that....

I ran the command and then I attempted to add the sensor that I ran the command on, to the remote IME client...

I deffo saw the entry in the command output

19:08:54.587530 IP 172.xx.xxx.xxx.56336 > 172.xx.xxx.xxx.443: S 2155760626:2155760626(0) win 8192

The first address is the host on site A which has the IME client and the second address is of the IPS sensor on site B that I ran the command on...

Hope that makes sense but none of that output makes any sense to me....

From the looks of it the sensor is deffo seeing the connection on port 443 from the remote IME client but just for some reason it wont connect.

Urfan