Decrypt NIC System Error re: SDEE Collector
Having problems with a device (Cisco IPS) that we are trying to collect via SDEE. This is the message that we received multiple times every minute when it trys to poll:
%NIC-3-603913: SDEE, SDEE, -, -, -, -, Detail: 2864: Error: D47CC5C4298D443E8D86DC1C4AC41986: Subcription failed: Code: envender - sd:errPermissionDenied; Reason: Not authorized
Unfortunately there is no identifying factor, other than the long Hex number so we are having a tough time tracking this back to which device is not working properly.
Has anyone else received this error and can shed some light on that seems to be the issue? Second part of the question: Is there an easy way to associate which device is the problem child from this Hex number?
Is there an easy way to associate which device is the problem child from this Hex number?
Not sure if this is an “easy way” to associate the device to the HEX number but I have found a way to associate them. On the collector that is actually making the SDEE calls to the SDEE device there is a TMP folder located on the 😧 drive. In this folder you will find XML files that have the same naming convention as the HEX number you see in your NIC System logs. In this XML file there is an element label “originator” which contains the host ID of the SDEE device.
This is an OK way of identifying what device is associated with what HEX number but if you have an device that you want to know it’s HEX number its best to perform a search of the TMP directory using the “A word or phrase in the file” option containing the host name of the SDEE device you want to find the HEX number.
This might help shorten the list of candidates. If you can somehow get a subscription number on the RSA enVision for an IPS that it is trying to collect from, you can go on each IPS and enter the command "show statistics sdee-server" and see if there is a match in the subscription IDs.
The IPS also show the last read time for each subscription ID.
You can also try the command "packet display gigabitEthernet expression host <envision IP>" on the management interface of the IPS and seeing if there is a connection from the enVision. Its basically a tcpdump capture.