000029231 - ESA displays the error "iptables....ACCEPT returned 1 instead of one of [0]" when running puppet agent -t at RSA Security Analytics 10.4.0.2

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029231
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA)
RSA Version/Condition: 10.4.0.2
Platform: CentOS
O/S Version: EL6
IssueAfter issuing the puppet agent -t command on the ESA appliance, the following error message is displayed:
Error: iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 50030 -j ACCEPT returned 1 instead of one of [0]
Error: /Stage[main]/Esa/Exec[remove-ip-tables-entry]/returns: change from notrun to 0 failed: iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 50030 -j ACCEPT returned 1 instead of one of [0]


 
CauseThis is a known bug in Security Analytics 10.4.0.2. There is a typo in the file /etc/puppet/modules/esa/manifest/init.pp on the Security Analytics server.  This file is responsible for applying iptables rules on the ESA.  
 
WorkaroundIn order to resolve the issue, perform the workaround below.
  1. Connect to the Security Analytics server via SSH as the root user.
  2. Temporarily stop the puppetmaster service with the following command:  service puppetmaster stop
  3. Edit the ESA puppet manifest with the following command:  vi /etc/puppet/modules/esa/manifests/init.pp
  4. Comment out the lines below.
    # exec {'remove-ip-tables-entry':
              #      path        => ["/bin", "/sbin", "/usr/bin", "/usr/sbin"],
              #      command     => "iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 50030 -j ACCEPT",
              #      onlyif      => 'test -n "iptables --list | grep dpt:50030"',
              #    }

  5. Save the changes to the file with the :wq! command in the vi editor.
  6. Restart the puppetmaster service with the following command:  service puppetmaster start
  7. Connect to the ESA appliance via SSH as the root user.
  8. Regenerate the certificates on the ESA appliance with the following command:  puppet agent -t
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes