That IS the exact error message I am getting. That was a direct cut and paste from show tech-support output. I also notice this if you do a show events alert low past 01:00:00.

I am curious as to "when" you receive these errors?

How do you access the Sensor - Via VMS or direct HTTPS?

Did you change the password on the unit recently?

The error (though I haven't seen this exact one before) seems to be a TLS connection failure and could indicate that an atttempted logon failed.

Do you have any devices such as a SIM (Arcsight, NetForensocs, etc.) that are pulling events from the sensor? Enough .. just soliciting a bit more info.

Army Lifer (retired)

The sensor is accessed via CLI and HTTPS. We have a custom app that pulls events for monitoring purposes. I am more concerned about the XML parser error than the TLS error. I am not sure if the two are related.

The nac in the error refers to the NetworkAccess (NAC) module. I would hazard a guess that perhaps you have at least one signature that is set to shun. Further, it appears that the signature or the Shun command is corrupted/misconfigured. Look for any recently edited signatures that the "Shun" process was enabled for. Could be ACL related as well. Not sure where to look for that.

H. Schupp

From the CSIDS PDF:

NAC (NetworkAccess)—Manages remote network devices (PIX Firewall, routers, and switches) to provide blocking capabilities when an alert event has occurred. NAC (Network Access Controller) creates and applies Access Control Lists (ACLs) on the controlled network device, or uses the shun command (PIX Firewall) to another RDEP server.

That's a very valid point CSIDS. I would have to agree. I think now that the most likely problem is something is configured for shunning but it is missing something required for that action. I will have to check further in to this when I am back at work. I will let you know what I find out. Thanks for the advice.