All Apps and Add-ons

Splunk Add-on for Cisco IPS: Why am I getting this error message trying to add a new Cisco IPS Sensor?

jean_tomaz
Explorer

Hi,

I have an issue adding new Cisco IPS Sensor.

The following message is appearing:

"Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_TA_cisco-ips/admin/cisco_ips_setup/cisco_ips_setup_settings".

I need help, please.

Thanks a lot.

jcoates_splunk
Splunk Employee
Splunk Employee

Quick update -- 2.1.2 solved most of the SSL problems, but there's a couple of last ones we're nailing down for a new maintenance release. There is an interesting problem with these where the IPS only supports a few connections at a time, so there can be times where we're making a perfectly valid request and still get told no.

0 Karma

jmcrabb
Explorer

I saw this issue when I had tried copying the app's etc/local directory from a Windows server to a CentOS server. To get it to work, I had to delete the local directory, restart splunk, and use the web interface to add the sensors. This is with Splunk 6.1.4 heavy forwarder and Splunk Add-on for Cisco IPS 2.1.1. On top of that, I had to edit pySDEE.py per the comment by Colin Humphreys here: http://answers.splunk.com/answers/171146/ciscoips-script-not-working-in-splunk-universal-fo.html.

jcoates_splunk
Splunk Employee
Splunk Employee

version 2.1.2 should correct TLS mode errors, please upgrade and open a support ticket if it doesn't work.

0 Karma

imarks004
Path Finder

I am also seeing this same error. Anyone found a work around or any useful information from Splunk support?

0 Karma

JSkier
Communicator

Splunk professional services was on site when we upgraded this app on a heavy v6 forwarder. They usually don't do much for support of apps even those made by splunk, support usually has to come from the app creator (kinda scary way of doing support IMO).

I was able to get v6 going with 2.0 (the older version), by forcing TLSv1 in the python ssl library splunk uses. It stopped working for unknown reasons after a few hours (started getting the same error as the new version), so I've reverted back to 2.0 app with splunk 5 for now, which still works.

If interested in trying 2.0 (not the latest) app with splunk 6, edit the library splunk uses, look at this file, and change the ssl version (down a bit) to TLSv1: $SPLUNK_HOME/lib/python2.7/ssl.py

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, the 2.1.2 update or later should solve these TLS issues.

Also, this is a Splunk-supported add-on; I'll be happy to chat with anyone who needs a hand with what that means.

0 Karma

JSkier
Communicator

Thanks, installation works and it is pulling feeds, but now it won't forward to the index for version 6. I put in a ticket.

0 Karma

cmoyanof
New Member

Hi Jack,

I have error "Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_TA_cisco-ips/admin/cisco_ips_setup/cisco_ips_setup_settings"

My version of Splunk_TA_cisco-ips is 2.1.2

😞

0 Karma

JSkier
Communicator

Seeing this also. Have had success with previous 2.0 version and splunk heavy forwarder v5. v6 with ssl python library hack did work, but didn't last.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...