This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
JimHarbin
Beginner
Beginner
‎2010-08-26 11:05 AM

Decrypt NIC System Error re: SDEE Collector

Having problems with a device (Cisco IPS) that we are trying to collect via SDEE.  This is the message that we received multiple times every minute when it trys to poll:

 

%NIC-3-603913: SDEE, SDEE, -, -, -, -, Detail: 2864: Error: D47CC5C4298D443E8D86DC1C4AC41986: Subcription failed: Code: env:smileyfrustrated:ender - sd:errPermissionDenied; Reason: Not authorized

 

Unfortunately there is no identifying factor, other than the long Hex number so we are having a tough time tracking this back to which device is not working properly.

 

Has anyone else received this error and can shed some light on that seems to be the issue?  Second part of the question:  Is there an easy way to associate which device is the problem child from this Hex number?

 

Thanks! 

0 Likes
Reply
2 Replies
RSAAdmin
Beginner
Beginner
‎2010-09-16 12:52 PM

 Is there an easy way to associate which device is the problem child from this Hex number?

Not sure if this is an “easy way” to associate the device to the HEX number but I have found a way to associate them.  On the collector that is actually making the SDEE calls to the SDEE device there is a TMP folder located on the 😧 drive. In this folder you will find XML files that have the same naming convention as the HEX number you see in your NIC System logs. In this XML file there is an element label “originator” which contains the host ID of the SDEE device.

 

- <originator>

       <hostId>MYIDS</hostId>

        <appName>modprobe</appName>

       <appInstanceId />

  </originator>

 

This is an OK way of identifying what device is associated with what HEX number but if you have an device that you want to know it’s HEX number its best to perform a search of the TMP directory using the “A word or phrase in the file” option containing the host name of the SDEE device you want to find the HEX number.

 

 

Preview file
79 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2010-09-27 02:50 PM

This might help shorten the list of candidates.  If you can somehow get a subscription number on the RSA enVision for an IPS that it is trying to collect from, you can go on each IPS and enter the command "show statistics sdee-server" and see if there is a match in the subscription IDs.

 

The IPS also show the last read time for each subscription ID.

 

You can also try the command "packet display gigabitEthernet expression host <envision IP>" on the management interface of the IPS and seeing if there is a connection from the enVision.  Its basically a tcpdump capture.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.