This document describes the error messages in the Cisco Security Monitoring, Analysis, and Response System (CS-MARS).
There are no specific requirements for this document.
The information in this document is based on the Cisco Secure MARS Version 4.2x/5.2x.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
This error message appears in CS-MARS when you try to add a device such as a Cisco IOS router or switch:
ssh_rsa_verify: n too small: 512 bits
key_verify failed for server_host_key
Use this solution in order to resolve the problem.
The cause for this error message is due to a 512-bit key that is generated by a router (device), but MARS expects a 1024-bit or higher key.
In order to resolve this issue, zeroize the key and generate a 1024-bit key in the router:
Router(config)#crypto key zeroize rsa
Router(config)#crypto key generate rsa general-keys modulus 1024
Warning: Cisco recommends that you use labeled key pairs instead of the default key pairs because the zeroizing of the default key pairs can lead to VPN tunnel termination. It can also affect the Certificate Authority (CA) data that relies on your default keys, for example:
Router(config)#crypto key generate rsa general-keys label sshkey modulus 1024 exportable
Router(config)#ip ssh rsa keypair-name sshkey
Refer to the Cisco IOS Security Command Reference for more information.
When you try to add a device in the CS-MARS, a blank pop-up screen appears. This occurs only when you use the Internet Explorer version 7 browser.
This is a known issue with Internet Explorer version 7, and the blank pop-up screen does not have any impact on the functionality. You can close the blank screen and continue to add devices. Internet Explorer version 6 or any other browser to avoid the blank pop-up screen issue.
After you upgrade from version 6.0.2 to 6.0.3, it appears that drop rules are ignored.
Update your MARS with the patch release 6.0.3 (3188) (csmars-184.108.40.20690-customerpatch.zip) in order to correct the potential issues with drop rules.
You receive this error message: An internal error has occurred. Please close all the browser windows and ensure that the specific device is added and submitted in Cisco Security Manager (CSM)
This problem occurs when the alerts that are generated from the firewalls use names, not IP addresses, and the CSM MARS integration does not support firewall alerts that use names.
In order to resolve this issue, issue the no names command on the firewall to enable the cross launch feature for all firewall alerts.
You might receive the "Invalid remote IP or path" error while NFS archives.
In order to resolve the issue, change the privilege level on the window server or re-start the services.
Refer to Configure the NFS Server on Windows for more information about how to configure NFS. Refer to Enable Logging of NFS Events for more information about how to enable logging.
You might receive this error message if your Oracle database is corrupted:
Program aborted due to: ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist
Linux Error: 2: No such file or directory
In order to resolve this issue, re-image the MARS appliance. For more information on how to re-image MARS, refer to Re-Imaging a Local Controller.
When you try to add a device with a seed file in the CS-MARS, this error message appears:
Status: Errors occured while retrieving csv file from ftp server.
This occurs when the seed file is not saved in the comma separated value (CSV) format. You must save the seed file as a true CSV file. Do not save the file as a Microsoft Excel file (.xls file); MARS cannot interpret a Microsoft Excel formatted .xls file and will hang while it uploads the seed data. CS-MARS needs this data in the form of a true comma-separated value file. Refer to Add Multiple Reporting and Mitigation Devices Using a Seed File for more information on how to set up a seed file.
You might receive this error when you are unable to access a 3550 switch from MARS:
spawn ssh -c 3des -l marssys 10.15.110.16
The authenticity of host '10.15.110.16 (10.15.110.16)' can't be established.
RSA key fingerprint is ca:d6:ca:2c:ea:09:d6:2c:e2:78:d5:97:b6:f6:de:a5.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts
ssh_rsa_verify: n too small: 512 bits
key_verify failed for server_host_key
This error occurs if the modulus setting on the ssh key in the switch is set to 512; the value should be higher.
When you pull logs from the backend, you might receive this error: Thread 3075656624:winpull: repeated error pulling from 10.1.1.52, look in backend log for full info of the error
This error occurs when the learned windows account used to pull event logs does not have the rights for the MARS account on the server.
Mars reports this rule:
System Rule: Inactive CS-MARS Reporting Device. And did not receive syslogs.
This rule detects reporting devices that have not reported an event in the past hour. For chatty devices, such as firewalls and IDS, this error can indicate connectivity issues or an issue with the device itself. This rule must be scoped down to include only chatty network infrastructure devices.
When you try to export the device configuration, the process seems to run, but there is no configuration file on the SFTP server, just an empty folder that the process created. You might also receive the Error: failed to save file to the remote host message.
Check that the account you use has write access. Cisco recommends that you use the Cygwin SFTP Server on Windows.
The Cisco Security MARS supports SFTP servers as a storage medium to archive or to migrate data from 4.x to 6.0.1. Refer to Configure the Cygwin SFTP Server on Windows for information on how to configure the Cygwin and OpenSSH on Windows. It targets the Cygwin SFTP server on Windows XP.
You are unable to reset the password in CS-MARS.
Use pnadmin as the user name and password. If this does not work, the only way to reset the password on a MARS sensor is to use the recovery DVD, which basically reimages the appliance. Make sure you have your license key written down before you use the recovery CD/DVD. Refer to Recovering a Lost Administrative Password for more information on how to reset the password on CS-MARS.
The Local Controller (LC) does not synchronize properly with the Global Controller (GC).
Make sure that both the LC and GC have the same signature. The LC and GC must have the same signature in order for them to synchronize without any issues.
You might receive the Configuration import failed with error code: 111 error when you import a configuration from version 4.3.6 to 6.0.2 in CS-MARS.
The configuration can be imported from the CS-MARS version 4.3.6 to version 6.0.1 only; it cannot be imported to 6.0.2. In order to resolve this issue, import the configuration from 4.3.6 to 6.0.1 and then re-image CS-MARS to 6.0.2.
You might receive the Error: no configuration archive found. This tool only supports importing configuration archive generated by 4.3.1 release or later with the exception of 5.x.x releases. error when you import a configuration from version 4.x to 6.0.4 in CS-MARS.
The configuration can be imported from the CS-MARS version 4.x to version 6.0.1 only; it cannot be imported to 6.0.2. In order to resolve this issue, import the configuration from 4.x to 6.0.1 and then re-image CS-MARS to 6.0.4.
Refer to Migrating Data from Cisco Security MARS 4.x to 6.0.X for more information on migration of CS-MARS.
You might receive this error after you upgrade CS-MARS:
Error: Configuration error: host name does not match janus.conf::janusBoxName. Please contact Cisco for support.
This error is due to the Cisco bug ID CSCsh82939 (registered customers only) . In order to avoid this issue in future it is recommend to change the hostname to the original hostname instead running pnrestore on new default "hostname" both after the re-image and before the pnrestore,
You might receive this error when you import a configuration from version 6.0.1 to 6.0.3 in CS-MARS:
File gen_or_06_0_13.sql missing from schema.
Configuration import failed with error code: 1
Error: failed to import config data
If you use the pnexp and pnimp commands, the configuration is backed up and restored only to the same MARS version. The only exception is migrating from version 4.x to version 6.0.1; this procedure does not work for migrating from version 6.0.1 to version 6.0.3.
You must reimage MARS with the original 6.0.1 version again (the version from which you previously ran the pnexp command), restore configuration with pnimp, and then complete two sequential upgrades with the pnupgrade utility: 6.0.1 to 6.0.2 and then 6.0.2 to 6.0.3.
Note: Data restore from a larger model to a smaller model of CS-MARS is not supported. For example, you cannot restore data from Mars 100 to MARS 50.
You are unable to configure email alerts on MARS for all severity level RED rules.
It is not possible to configure email alerts for all severity level RED rules in one step. You must configure email alerts on a per-rule basis. Create a custom rule (Rules > Add), and then choose any for all parameters except severity. For the severity parameter, choose RED, and set an action to email to configure email alerts on MARS for all severity level RED rules. Refer to Configure a Rule to Send an Alert Action for more information.
For more information, refer to Cisco bug ID CSCse89349 (registered customers only) .
The auto signature update feature in MARS does not work if you use a proxy or proxy/caching server in order to access the Internet. You might receive this error message during auto signature update: unable to connect to the server, please check the URL,User name and password
MARS is unable to download dynamic IPS signature updates if you use a proxy or proxy/caching server to access the Internet. If you use a proxy/caching server, you can manually download the signature update files from this URL: http://www.cisco.com/cgi-bin/tablebuild.pl/mars-ips-sigup (registered customers only) . Refer to IPS Signature Dynamic Update Settings for more information about auto signature updates in MARS.
CS-MARS reports this error during higher signature update: Unknown Device Event Type
CS-MARS has a higher signature update than the sensors; no issue in parsing should arise. However, if the sensor has a higher signature update than CS-MARS, CS-MARS might generate an Unknown Device Event Type error as the CS-MARS cannot directly parse the newer signatures; raw event data will still be present. There should be performance impact to CS-MARS outside potentially non-descript event messages.
Note: Custom signatures are categorized as "Unknown Device Event Type" events in CS-MARS; however, signature look-up functions as expected.
You encounter issues after you configure MARS for NetFlow.
NetFlow is a Cisco technology that supports monitoring network traffic and is supported on all basic Cisco IOS images. MARS collects the NetFlow that is sent from the reporting device, and it provides various levels of functionality (dependent upon whether you store it to the database). If stored, NetFlow can be queried, and you can have reports, rules, and incidents for it. Refer to Understanding NetFlow Anomaly Detection for more information on how to configure MARS for NetFlow and how NetFlow works. Also refer to Taskflow for Configuring NetFlow Security Event Logging (NSEL) on MARS for more details on NetFlow configuration.
CS-MARS reports multiple destinations as port 0. The destination port is 0, and sometimes the destination IP address is 0.0.0.0.
This is expected CS-MARS behavior since some event types of reporting devices report multiple destination ports or IP addresses. MARS simply consolidates this information into a single value (0). If you are concerned about the data reported to MARS that triggered this behavior, you can run an All Matching Events Raw Messages type query against one or more of the reporting devices that triggered this behavior in order to see the information that was reported to MARS, which includes the multiple designation ports or IP addresses. All Matching Events Raw Messages with raw events displays Event ID, Event Type, Time, Reporting Device, and Raw Message fields.
CS-MARS has some events events that report the source as 0.0.0.0 port 0.
In CS-MARS, the IP address 0.0.0.0 means that there is no information for this field. This is a convention used within CS-MARS. IP addresses and ports of 0.0.0.0 and 0 respectively show up in two cases:
Those that were not specified in the syslog
Those that have multiple values (2 or more IPs or ports)
This error occurs when you try to start or stop the service with the pnstart or pnstop commands at the CLI in CS-MARS:
program aborted due to: ORA-01033: Oracle initializing or shutdown in progress.
This error message indicates that the database has crashed.
This error can be resolved if you re-image the CS-MARS followed by the configuration import.
You are unable to back up the device configuration without data in CS-MARS.
You can archive data from a MARS appliance and use that data to restore the operating system (OS), system configuration settings, dynamic data (event data), or the complete system. The appliance archives and restores data to and from an external network-attached storage (NAS) system with the network file system (NFS) protocol. After you archive all data and device configurations, restore only the device configuration information so that only the device configuration is restored. Refer to Configuring and Performing Appliance Data Backups for more information on appliance data backup in CS-MARS.
You are unable to upgrade the image with DVD in CS-MARS.
CS-MARS does not recognize the DVD as a recovery image. In order to resolve the issue, burn the CD at 4x speed. Refer to Downloading and Burning a Recovery DVD for more information on appliance software upgrade with DVD in CS-MARS.
You are unable to run the raidstatus command in CS-MARS.
CS-MARS does not support the raidstatus command in the lower-end models - 20 or 50. Only for models 100, 100E, and 200 is this command supported.
Devices report as Unknown Reporting Device IP in the MARS system.
This problem is due to CS-MARS tags event data since it is received based on the source IP address from which it came, and then it performs a lookup in its configuration (which matches the source IP address to a configured reporting device). If no match is found, the device is tagged as "Unknown Reporting Device IP," which means that the user has not configured MARS to recognize all requirements for MARS to be able to parse/understand event data, such as the type of device of the IP address and the version of software/code it runs.
In order to verify, note the IP address or addresses in question, and navigate to ADMIN > System Setup > Security and Monitor Devices page in the MARS GUI. Verify that the same IP address or addresses are not listed. Once verified, add a proper reporting device (and every other network device that shows as Unknown) in order to correct this issue.
You might receive this error when you download the update package on CS-MARS:
Cisco.com Package List\n An error occurred while accessing Cisco.com: An error occurred accessing Cisco.com. Error Code: ERR_INTERNAL
This error occurs when full outbound access to origin-www.cisco.com (via HTTPS/443) and software-sj.cisco.com (via HTTP/80) is not configured on the firewall. In order to resolve this issue, make sure the firewall (if present) is configured in order to allow full outbound access to origin-www.cisco.com (via HTTPS/443) and software-sj.cisco.com (via HTTP/80).
You are unable to add an FWSM in CS-MARS.
Before you can add an FWSM module in a switch, you must add and configure the base module (the Cisco switch) in MARS. Refer to Configuring Cisco Firewall Devices for more information.
You are unable to use NTLMv2 with CS-MARS.
NTLMv2 is not supported on CS-MARS; therefore, you are unable to use NTLMv2 with CS-MARS.
CS-MARS crashes with the kernel panic 5 message on the console. The message includes this information: CET Fatal ./csips Thread 62385072:Exiting the process as OUT_OF_MEMORY returned by CURL. superV will restart the process.
Usually, this issue is seen together with a high memory usage on the CS-MARS appliance. Running a command to show system inventory information can trigger this issue. For more information, refer to Cisco bug ID CSCsm40349 (registered customers only) .
You might receive this error when CS-MARS boots up:
/dev/hda2 UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY.
Re-image the CS-MARS device in order to resolve this issue. You can also try to run fsck manually before you re-image the device.
Refer to Re-Imaging a Local Controller for more information on how to re-image the CS-MARS device.
You might receive this error when you upgrade csmars-220.127.116.112.30 to csmars-18.104.22.16888.32:
[Error][check_dependency/541]: minimal allowed version(22.214.171.12402.31) > current version(126.96.36.19902.30)
This error might occur if the data version was not properly updated during a previous version upgrade.
In order to resolve this issue, perform the upgrade to 6.0.2 from the CLI. The software version upgrade is skipped, but the data version upgrade is performed. You can then upgrade to version 6.0.3.
Verify your current version with the version CLI command
Refer to Upgrade from the CLI for more information on how to upgrade the CS-MARS device.
You might experience performance issues with the MARS GUI after you upgrade from 5.3.1 to 6.0.
Upgrade to version 6.0.6 in order to resolve this issue.
You are not able to export reports from MARS in a presentable format, such as PowerPoint, PDF, Word, or Excel.
CS-MARS does include functionality to export reports to other applications. CS-MARS supports only these two types of formats for reports:
Note: If you chose to view the report as a CSV file, you need to save the file to your computer, and open the CSV file in a third-party application. For more information, refer to Operations on Existing Reports.