FireSIGHT Process Status - Stunnel

Muhammad.Eissa · ‎04-27-2016

hello,

i have issue for few days , thought updates will solve it but its not
i have attached screenshot for it , wish to know what is this issue , and how to solve it

thanks :)

Jetsy Mathew · ‎04-29-2016

Hello Eissa,

The service sftunnel that you are referring to is a communication channel between the Firesight and the Firepower device. It maintains the communication channel between these two appliances for sending the heartbeats between each other . This can be exited due to various reasons. You can verify the status of the service using the following commands via ssh access to the appliance which triggered that alert. Make sure that you elevate to root user .

pmtool status |grep sftunnel

Verify that the service sftunnel is running.

You can also grep for errors in the messages logs with the sftunnel

cat /var/log/messages |grep sftunnel

What is the existing model and software version of the device.

I would recommend you to open a case with Cisco TAC to know the root cause of this alert since this service can exit due to several communication channel issues. Thus just looking at the health alert we cant say the exact cause. Provide the troubleshoot file to the Cisco TAC and they will surely help you to identify the root cause.

Regards

Jetsy

Muhammad.Eissa · ‎04-29-2016

hello Jetsy,

below is the output of the above command , is there are anything abnormal ?

root@Sourcefire3D:~# pmtool status |grep sftunnel
Required by: SFDataCorrelator,ui_archiver,TSS_Daemon,HostInput_Daemon,sfestreamer,estreamer-sftunnel,fpcollect,Syncd,expire-session,Pruner,fireamp,ActionQueueScrape,snapshot_manager,SFTop10Cacher,query_scheduler
sftunnel (system) - Running 4004
Command: /usr/local/sf/bin/sftunnel -d -f /etc/sf/sftunnel.conf
PID File: /var/sf/run/sftunnel.pid
Enable File: /etc/sf/sftunnel.conf
Required by: sfmgr,sfmbservice,estreamer-sftunnel,sfipproxy
Command: /usr/local/sf/bin/sfmgr -d -f /etc/sf/sftunnel.conf
Enable File: /etc/sf/sftunnel.conf
Requires: sftunnel
Command: /usr/local/sf/bin/sfmbservice -d -f /etc/sf/sftunnel.conf
Enable File: /etc/sf/sftunnel.conf
Requires: sfmb,sftunnel
estreamer-sftunnel (normal) - Running 4307
Command: /usr/local/sf/bin/sfestreamer --nodaemon --sftunnel
PID File: /var/sf/run/estreamer-sftunnel.pid
Requires: mysqld,sftunnel
Requires: sftunnel
root@Sourcefire3D:~# cat /var/log/messages |grep sftunnel
Apr 29 12:06:55 Sourcefire3D SF-IMS[3960]: [3960] pm:process [INFO] HUPing sftunnel
Apr 29 12:06:55 Sourcefire3D SF-IMS[4004]: [4004] sftunneld:sftunnel [INFO] Process received SIGHUP
Apr 29 12:06:55 Sourcefire3D SF-IMS[4004]: [4004] sftunneld:sftunnel [INFO] ROLE=2
Apr 29 12:06:55 Sourcefire3D SF-IMS[4004]: [4004] sftunneld:sftunnel [INFO] IPv4 is 10.1.127.152 (key '10.1.127.152') on eth0
Apr 29 12:06:55 Sourcefire3D SF-IMS[4004]: [4004] sftunneld:sftunnel [INFO] Local Peer supports separate evets connection
Apr 29 12:06:56 Sourcefire3D SF-IMS[4004]: [4104] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 10.1.127.154 over eth0
Apr 29 12:06:56 Sourcefire3D SF-IMS[4004]: [4106] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 10.1.127.150 over eth0
Apr 29 12:06:56 Sourcefire3D SF-IMS[4004]: [4104] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 10.1.127.154 (6.0.1)
Apr 29 12:06:56 Sourcefire3D SF-IMS[4004]: [4106] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 10.1.127.150 (6.0.1)
Apr 29 12:06:59 Sourcefire3D SF-IMS[4004]: [4105] sftunneld:control_services [INFO] Successfully Send Interfaces info to peer 10.1.127.151 over eth0
Apr 29 12:06:59 Sourcefire3D SF-IMS[4004]: [4105] sftunneld:sf_heartbeat [INFO] Saved SW VERSION from peer 10.1.127.151 (6.0.1)
root@Sourcefire3D:~#

Jetsy Mathew · ‎05-09-2016

Hello ,

sftunnel process is running as of now.

Are you continuously receiving the health alert or did you received it just once ?

Have you grepped for any heartbeat messages in /var/log/messages ?

If the sftunnel process was down before , it wont be there in recent logs. The logs also would have been got rotated.

Regards

Jetsy