Re: CSPC ACL Updates

BenStansfield · ‎04-25-2019

Hello All

Please, can someone provide me with the latest list of ACL's that need to be configured on the Firewall to allow full functionality of the CSPC appliance? We were recently provided with the below list as Cisco documentation and Cisco TAC.

However we are now also required to add nettools-upload.cisco.com? there is no mention of these updated ACL's on any Cisco documentation which is alarming.

Host Name	IP Address	Port	Function
concsowebprd.cisco.com	72.163.7.113	443	Data upload from the collector to Cisco
concsoweb2-prd.cisco.com	72.163.7.125	443	Web socket tunnel access from Cisco secure GUI
dl.cisco.com	72.163.7.60	80 & 443	Utilised to perform upgrades and patches on the host, this can be configured automatically for minimising downtime.
dl1.cisco.com	72.163.7.60	80 & 443
dl2.cisco.com	173.37.146.12	80 & 443
sso.cisco.com	173.37.144.208	443
cloudsso.cisco.com	72.163.4.74	443

jofrumki · ‎04-25-2019

nettools-upload.cisco.com is not required for CSPC to SNTC connectivity. The list provided should be sufficient. Can you help us understand why you believe nettools-upload.cisco.com to be a requirement?

BenStansfield · ‎04-25-2019

Hi Jofumki

Please see error below.

Kind regards

jofrumki · ‎04-25-2019

Thank you for the update, can you please confirm the current version running on your CSPC is 2.8.1.2 and if not, upgrade to this release level.

Once completed please attempt the upload again and update us with any changes.

Regards

BenStansfield · ‎04-25-2019

Hi

The Collector is a fresh installation of 2.8.1.2. the upload was previously working

Kind regards

jofrumki · ‎04-25-2019

Thank you for the update, can you confirm if there is a proxy configured on the CSPC?

If no proxy exists in the network and none is configured on the CSPC, please login to the CLI as collectorlogin the su to root. From root execute the command service concsotgw restart and attempt a new upload.

BenStansfield · ‎04-26-2019

Hi Jofrumki
The customer has a proxy configured on their network, the details are not configured on the CSPC appliance. We have more than 10 collectors with Proxy servers locally that don't have the config that works so not sure that this is the issue.
Kind regards

jofrumki · ‎04-26-2019

Has the customer executed the command I recommended and attempted a new upload?

If the upload still fails then please send the output from cat /opt/ConcsoTgw/tail-end-gateway-decoupled/conf/csof_config.xml

Thank you

BenStansfield · ‎04-29-2019

Hi Jofrumki

Customer added nettools ACL and the upload worked.

Kind regards

jofrumki · ‎04-29-2019

Hello,

Thank you for the update, however we did notice that this CSPC is registered to a PSS customer and as a Partner Support Service partner you are entitled to open TAC cases with Cisco rather than using the SNTC community. Additionally, would it be possible to provide the output I requested previously? This behavior is unusual and we would like to document everything if possible.

Thank you