All Apps and Add-ons

Handshake occurs but doesn't send data

rajyah
Communicator

Hi! Good day to you all,

Today, we're currently ingesting data from eStreamer but this occured:

2018-11-09 15:55:15,479 Controller INFO Platform version: Linux-3.10.0-862.el7.x86_64-x86_64-with-centos-7.5.1804-Core
2018-11-09 15:55:15,480 Controller INFO Starting client (pid=14528).
2018-11-09 15:55:15,481 Controller INFO Sha256: d81b381ef933679d508d0c5ac1f95caa98ebf2aff094debecf52471917901bc8
2018-11-09 15:55:15,491 Controller INFO Processes: 4
2018-11-09 15:55:15,492 Controller INFO Settings: KGRwMApWbW9uaXRvcgpwMQooZHAyClZib29rbWFyawpwMwpJMDAKc1Z2ZWxvY2l0eQpwNApJMDAKc1ZoYW5kbGVkCnA1CkkwMQpzVnBlcmlvZApwNgpJMTIwCnNWc3Vic2NyaWJlZApwNwpJMDEKc3NWaGFuZGxlcgpwOAooZHA5ClZyZWNvcmRzCnAxMAooZHAxMQpWZXhjbHVkZQpwMTIKKGxwMTMKc1Zjb3JlCnAxNApJMDEKc1ZleGNsQGNvbW1lbnQKcDE1CihscDE2ClZUaGVzZSByZWNvcmRzIHdpbGwgYmUgZXhjbHVkZWQgcmVnYXJkbGVzcyBvZiBhYm92ZSAob3ZlcnJpZGVzICdpbmNsdWRlJykKcDE3CmFWZS5nLiB0byBleGNsdWRlIGZsb3cgYW5kIElQUyBldmVudHMgdXNlIFsgNzEsIDQwMCBdCnAxOAphc1ZwYWNrZXRzCnAxOQpJMDEKc1ZpbnRydXNpb24KcDIwCkkwMQpzVmluY0Bjb21tZW50CnAyMQpWVGhlc2UgcmVjb3JkcyB3aWxsIGJlIGluY2x1ZGVkIHJlZ2FyZGxlc3Mgb2YgYWJvdmUKcDIyCnNWcnVhCnAyMwpJMDEKc1ZybmEKcDI0CkkwMQpzVmluY2x1ZGUKcDI1CihscDI2CnNWY29ubmVjdGlvbnMKcDI3CkkwMQpzVm1ldGFkYXRhCnAyOApJMDAKc3NWb3V0cHV0dGVycwpwMjkKKGxwMzAKKGRwMzEKVmVuYWJsZWQKcDMyCkkwMQpzVmFkYXB0ZXIKcDMzClZzcGx1bmsKcDM0CnNWc3RyZWFtCnAzNQooZHAzNgpWdXJpCnAzNwpWcmVsZmlsZTovLy8uLi8uLi9kYXRhL2VuY29yZS57MH0ubG9nCnAzOApzVm9wdGlvbnMKcDM5CihkcDQwClZtYXhMb2dzCnA0MQpJMTAwMDAKc1Zyb3RhdGUKcDQyCkkwMQpzc3Nhc1ZvdXRwdXRAY29tbWVudApwNDMKVklmIHlvdSBkaXNhYmxlIGFsbCBvdXRwdXR0ZXJzIGl0IGJlaGF2ZXMgYXMgYSBzaW5rCnA0NApzc1ZzdGFyQGNvbW1lbnQKcDQ1ClYwIGZvciBnZW5lc2lzLCAxIGZvciBub3csIDIgZm9yIGJvb2ttYXJrCnA0NgpzVnN1YnNjcmlwdGlvbgpwNDcKKGRwNDgKVnNlcnZlcnMKcDQ5CihscDUwCihkcDUxClZ0bHNAY29tbWVudApwNTIKVlZhbGlkIHZhbHVlcyBhcmUgMS4wIGFuZCAxLjIKcDUzCnNWdGxzVmVyc2lvbgpwNTQKRjEuMgpzVnBrY3MxMkZpbGVwYXRoCnA1NQpWY2xpZW50LnBrY3MxMgpwNTYKc1Zob3N0CnA1NwpWMTAuMC4zMS44MApwNTgKc1Zwb3J0CnA1OQpJODMwMgpzYXNWcmVjb3JkcwpwNjAKKGRwNjEKVmltcGFjdEV2ZW50QWxlcnRzCnA2MgpJMDEKc1ZleHRlbmRlZApwNjMKSTAxCnNWZXZlbnRFeHRyYURhdGEKcDY0CkkwMQpzVmludHJ1c2lvbgpwNjUKSTAxCnNWcGFja2V0RGF0YQpwNjYKSTAxCnNWQGNvbW1lbnQKcDY3CihscDY4ClZKdXN0IGJlY2F1c2Ugd2Ugc3Vic2NyaWJlIGRvZXNuJ3QgbWVhbiB0aGUgc2VydmVyIGlzIHNlbmRpbmcuIE5vciBkb2VzIGl0IG1lYW4KcDY5CmFWd2UgYXJlIHdyaXRpbmcgdGhlIHJlY29yZHMgZWl0aGVyLiBTZWUgaGFuZGxlci5yZWNvcmRzW10KcDcwCmFzVmFyY2hpdmVUaW1lc3RhbXBzCnA3MQpJMDEKc1ZtZXRhZGF0YQpwNzIKSTAxCnNzc1Zjb25kaXRpb25zCnA3MwoobHA3NApWc3BsdW5rCnA3NQphc1ZzdGFydApwNzYKSTIKc1Zjb25uZWN0VGltZW91dApwNzcKSTEwCnNWbG9nZ2luZwpwNzgKKGRwNzkKVmxldmVsCnA4MApWSU5GTwpwODEKc1ZmaWxlcGF0aApwODIKVmVzdHJlYW1lci5sb2cKcDgzCnNWc3RkT3V0CnA4NApJMDEKc1Zmb3JtYXQKcDg1ClYlKGFzY3RpbWUpcyAlKG5hbWUpLTEycyAlKGxldmVsbmFtZSktOHMgJShtZXNzYWdlKXMKcDg2CnNWc3RkRXJyCnA4NwpJMDAKc1ZsZXZAY29tbWVudApwODgKVkxldmVscyBpbmNsdWRlIEZBVEFMLCBFUlJPUiwgV0FSTklORywgSU5GTywgREVCVUcsIFZFUkJPU0UgYW5kIFRSQUNFCnA4OQpzc1ZyZXNwb25zZVRpbWVvdXQKcDkwCkkyCnNWd29ya2VyUHJvY2Vzc2VzCnA5MQpJNApzVmVuYWJsZWQKcDkyCkkwMQpzLg==
2018-11-09 15:55:15,493 Diagnostics INFO Check certificate
2018-11-09 15:55:15,493 Diagnostics INFO Creating connection
2018-11-09 15:55:15,493 Connection INFO Connecting to xx.xx.xx.xx:8302
2018-11-09 15:55:15,493 Connection INFO Using TLS v1.2
2018-11-09 15:55:15,504 Diagnostics INFO Creating request message
2018-11-09 15:55:15,505 Diagnostics INFO Request message=0001000200000008ffffffff48900061
2018-11-09 15:55:15,505 Diagnostics INFO Sending request message
2018-11-09 15:55:15,505 Diagnostics INFO Receiving response message
2018-11-09 15:55:15,517 Diagnostics ERROR The FMC eStreamer server has closed the connection. There are a number of possible causes which may show above in the error log.\n\nIf you see no errors then this could be that:\n * the server is shutting down\n * there has been a client authentication failure (please check that your outbound IP address matches that associated with your certificate - note that if your device is subject to NAT then the certificate IP must match the upstream NAT IP)\n * there is a problem with the server. If you are running FMC v6.0, you may need to install "Sourcefire 3D Defense Center S3 Hotfix AZ 6.1.0.3-1"\n
2018-11-09 15:55:15,517 Controller ERROR ConnectionClosedException: Connection closed\nTraceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/controller.py", line 244, in start\n diagnostics.execute()\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/diagnostics.py", line 96, in execute\n response = connection.response()\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 182, in response\n dataBuffer = self.__read( 8 )\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 159, in __read\n raise estreamer.ConnectionClosedException('Connection closed')\nConnectionClosedException: Connection closed\n
2018-11-09 15:55:15,518 Controller INFO Stopping...
2018-11-09 15:55:15,518 Monitor INFO Stopping Monitor.
2018-11-09 15:55:15,518 Controller INFO Goodbye

Please help.

0 Karma

km1986
Path Finder

I saw same issue today. eNcore Version 3.5.8 ; FMC version 6.2.3.14

I realized that the hostname provided to generate the certificate in FMC was not the same as that of the splunk server on which the eNcore app is being installed.

I re-generated the certificate with the same hostname as the Splunk server and the issue resolved.

0 Karma

douglashurd
Builder

With 6.x firepower you'll want to be on encore version 3.5.4
https://splunkbase.splunk.com/app/3662/

0 Karma

douglashurd
Builder

I would open a ticket with Cisco TAC. This sure looks like a connection problem or authentication problem. What versions of the FMC and eNcore are you running?

0 Karma

rajyah
Communicator

Is the Cisco eStreamer for Splunk(v.2.2.2) compatible with Splunk 7.2?

We currently use FMC Version 6.1.0.4 and eNcore v.3.15 but we can't seem to connect due to client authentication problem. Is this "client authentication" refers to the pkcs12 in the splunk server? If yes, we didnt set a password but it still logs that problem.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...