Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
0
Helpful
6
Replies

Error when I active nr.managed daemon on the IDS sensor

r.dalessandro
Level 1
Level 1

‎11-13-2001 01:09 AM - edited ‎03-10-2019 01:22 PM

When I try to launch the mananged daemon on the IDS sensor with 2.5(1)S2 with nrexec or nrset I have this error:

Error timeout waiting for response.

Why?What means?

Labels:
0 Helpful
6 Replies 6

marcabal
Cisco Employee
Cisco Employee

‎11-13-2001 09:56 AM

How are you trying to launch managed with nrexec or nrset?

Managed is started by using the management tool to include managed in the etc/daemons file.

Postoffice will then start it automatically like all of the other daemons.

To start managed using nrConfigure go the system files configuration area and open the daemons configuration. Here you can select managed to be included in the daemons file.

In CSPM the managed daemon is added to the daemons file automatically when you configure a router for blocking.

To see if managed is running, type nrstatus on the sensor.

If managed is not running then see if it is in the etc/daemons file.

If not, then follow the instructions above. It if it is in the daemons file, but is not running then try typing nrstop and nrstart to get it started.

If it won't stay running then chekc the errors file for managed.

If managed is running but not responding to nrexec and nrget queries then either managed is overloaded with too many automatic shun requests so it doesn't have time to respond, or your query is incorrect, or you've found a bug and need to contact the TAC.

Or you might try upgrading to 3.0 before contacting the TAC, there were several managed bug fixes in the 3.0 code base.

0 Helpful

r.dalessandro
Level 1
Level 1
In response to marcabal

‎11-14-2001 06:15 AM

Thanks.

The daemon now has started;when I try to block a Ip address,i have the success banner..but on the pix i don,t see the shunning rule?!!!why?

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to r.dalessandro

‎11-14-2001 09:46 AM

Are you executing the "show shun" command on the Pix?

Refer to: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/s.htm#xtocid187317

This is a new command which is only available with Pix 6.0 or higher.

Managed uses this command, so you must be running Pix 6.0 or higher to manage the Pix.

NOTE: The "Success" that you receive is acknowledgement that managed has received and accepted your request. It is not meant to say that the change of the router or pix configuration was a success. The actuall changing of the router or pix configuration could take a little while depending on how many shuns are being done and how many different devices are being managed. So if managed waited to respond to your shun request until after all the devices had been updated, then it is possible that you command would timeout.

So to verify if managed is functioning properly, you should check the managed error files. If managed comes across an error in configuration then it will place that error in it's error file.

If there is no error file, and you still don't see any shuns on the Pix, then you can try the following:

NOTE: You will need to open one telnet window to the sensor as user netrangr, and a second telnet window as user root.

As netrangr: nrstop

As root: snoop -d iprb0 -o /tmp/packets.snoop

(If using IDS-4210 change iprb0 to iprb1)

As netrangr: nrstart

Now execute a shun request

Wait a minute

As root: Use Ctrl-C to stop the snoop command

As root: Use different snoop options to analyze the packets that are being sent to the Pix and the responses from the Pix. This will let you know of any errors being generated.

Example snoop commands to try:

snoop -i /tmp/packets.snoop | more

snoop -i /tmp/packets.snoop -v | more

snoop -i /tmp/packets.snoop -x 0 | more

0 Helpful

r.dalessandro
Level 1
Level 1
In response to marcabal

‎11-15-2001 04:43 AM

I also have configured a router like blocking devices and with it the shunning is functioning proprerly..

I try to see with the snoop command what happen really with the pix.

Thanks care.

0 Helpful

stleary
Cisco Employee
Cisco Employee
In response to r.dalessandro

‎11-15-2001 07:36 AM

You can check the current status of devices controlled by nr.managed by typing this at

the Sensor command line:

nrget 10003 hostid orgid 1 Diagnostic

(replace with your sensor hostid and orgid)

All devices should be in the 'Active' state. If not, then something is wrong,

probably in the sensor configuration.

Nr.managed can only telnet to a PIX on the inside interface. If you are using

the outside (or DMZ) interface, then nr.managed has to be configured

to use SSH. In that case, the PIX should have a 3DES key installed, and be

configured to allow SSH sessions to the PIX.

0 Helpful

r.dalessandro
Level 1
Level 1
In response to stleary

‎11-15-2001 07:40 AM

The pix's status is inactive. I have opened the errors.managed file and there are the following messages:

11/14/2001 17:43:24UTC E Net Device offline at address [192.168.109.1] State [Connecting] SubState [Initial], resetting now.

11/14/2001 17:44:04UTC E Connection lost to net device 192.168.109.1

11/14/2001 17:44:04UTC E Can not set send bufsize on socket

11/14/2001 17:44:04UTC E Can not set recv bufsize on socket

11/14/2001 17:44:04UTC E Read error [Invalid argument] fd [1]

11/14/2001 17:44:50UTC E Connection lost to net device 192.168.109.1

The IDS communicate with the pix on the inside.

thanks.

0 Helpful
Customers Also Viewed These Support Documents