All Apps and Add-ons

After upgrading Cisco Security Suite from 3.0.0 to 3.1.1 in a distributed search deployment, why am I getting configuration and lookup table errors?

jorgepinto1
Explorer

Hi,

My setup is 1 Search Head and 3 Indexers and I've just upgraded my Cisco Security Suite insta.lation from 3.0.0 to 3.1.1, on the SH only. Now I'm stuck at the App Configuration screen. Whenever I press continue to App Configuration page, it throws:

Splunk could not perform action for resource apps/local/Splunk_CiscoSecuritySuite Splunkd daemon is not responding: ('Error connecting to /servicesNS/admin/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup: The read operation timed out',)

There was an error retrieving the configuration, can not process this page.

Additionally, I get the following errors when I do any other search on other apps:

[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'.
[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'source::udp:514|host::1.1.1.1|cisco:asa'.
[indexer1] The lookup table 'networkservice' does not exist. It is referenced by configuration 'source::udp:514|host::2.2.2.2|cisco:asa'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'source::udp:514|host::1.1.1.1|cisco:asa'.
[indexer2] The lookup table 'networkservice' does not exist. It is referenced by configuration 'source::udp:514|host::2.2.2.2|cisco:asa'.
[indexer3] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
[indexer3] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
[indexer3] The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'.

Can someone help?

ilirb
Path Finder

I managed to configure mine, however, I don't have a distributed search environment. Extending the session timeout in web.conf finally got me to the screen to enable the apps I needed, and all looks fine now.
Just checked that I also lack some dashboards, and receive the messages:
The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'

0 Karma

ilirb
Path Finder

Just an update, I followed some links suggesting to disable "Cisco ASA / PIX / FWSM Dashboards" i.e. SA-cisco-asa , as well as I updated the Splunk Add-on for Cisco ASA to version 3.2.3 now it is OK, no more errors and all the dashboards are populated properly.

0 Karma

AWDItTech
New Member

I made the lookup and table globally available. The error messages went away

0 Karma

noriel_cunanan
New Member

How do you do that?

0 Karma

dacasey
Explorer

Go to Settings / Lookups

Filter App Context to "Cisco Security Suite"

Check "Show only objects created in this app context"

The list of related lookups will be displayed. Now, click on the "Permissions" link next to each related entry and check "All Apps" at the top. Save and repeat the process.

Did not solve the problem on my end unfortunately.

0 Karma

ramsanga
Explorer

I had similar problems and after troubleshooting found that that SA-cisco-asa,SA-cisco-wsa,SA-cisco-esa,SA-cisco-sourcefire no longer requires in new version as add-ons. They are all incorporated into CiscoSecuritysuite app. After removing them from apps directory error messages no longer appears.

ChrisBell04
Communicator

I contacted app-help and they provided the following which actually did work to solve the Splunkd daemon is not responding issue.

  1. open/create $SPLUNK_HOME/etc/system/local/web.conf
  2. Update the splunkdConnectionTimeout to 1200 (the default is 30 secs)

JSkier
Communicator

This actually worked for me, but it's a messy upgrade and had other problems after getting it up.

0 Karma

thanley
New Member

Hi,

I've also just upgraded to C.S.S. 3.1.1. from C.S.S. 3.0.0. in my test platform, Splunk 6.2.3.
Had exactly the same issue as this so it looks like it could be a wider issue. I've just put 3.0.0. back on and it's working again. Might be worth rolling back until this issue is sorted.

0 Karma

heicoinfrastruc
New Member

How do you backout from 3.1.1 to 3.0.3. When I tried with the cisco-security-suite_303.tgz file it throws and error.

There was an error processing the upload

0 Karma

m4him7
Path Finder

I am having the same issue. I am also on 6.2.3

0 Karma

nychawk
Communicator

Me too, any resolution?

I am on 6.2.3, and backed out to 3.0.3 {3.0.0 is no longer available).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...