Issue: Generating SEC Bootstrap data failed.
Symptom: While generating SEC bootstrap data in CDO, the "bootstrap generation" step fails with the error, "There was an error fetching the bootstrap data. Please try again."
Repair: Retry bootstrap data generation again. If it still fails, raise a CDO support ticket.
Issue: SEC status is "Inactive" in CDO Secure Connectors page after onboarding
Symptom: The Secure Event Connector status shows "Inactive" in the CDO Secure Connectors page for one of these reasons:
- Heartbeat failed
- Connector registration failed
Issue: The SEC is "online", but there are no events in CDO Event Logging Page
Symptom: The Secure Event Connector shows "Active" in CDO Secure Connectors page but you do not see events in CDO Event viewer.
Solution or workaround:
- Login to the VM of the on-premise SDC and as the 'sdc' user. At the prompt, type sudo su - sdc.
- Perform these checks:
- Check SEC connector log ( /usr/local/cdo/data/<tenantDir>/event_streamer/logs/connector.log ) and ensure the SEC registration was successful. If not, refer issue "Secure Event Connector Registration failure".
- Check SEC events log( /usr/local/cdo/data/<tenantDir>/event_streamer/logs/events-plugin.log ) and ensure that the events are being processed. If not, contact CDO support.
- Log in to SEC docker container and execute the command "supervisorctl -c /opt/cssp/data/conf/supervisord.conf " and ensure the output is as shown below and all processes in RUNNING state. IIf not, contact CDO support.
estreamer-connector RUNNING pid 36, uptime 5:25:17
estreamer-cron RUNNING pid 39, uptime 5:25:17
estreamer-plugin RUNNING pid 37, uptime 5:25:17
estreamer-rsyslog RUNNING pid 38, uptime 5:25:17
- Ensure that the firewall rules on the on-premise SDC are not blocking the UDP and TCP ports shown for the SEC on the Secure Connectors page. See Finding Your Device's TCP, UDP, and NSEL Port Used for Cisco Security Analytics and Logging to determine what ports you need to open.
- If you have setup SDC manually using a CentOS 7 VM of your own and have the firewall configured to block incoming requests, you could execute the following commands to unblock the UDP and TCP ports:
firewall-cmd --zone=public --add-port=<udp_port>/udp --permanent
firewall-cmd --zone=public --add-port=<tcp_port>/tcp --permanent
- Using Linux network tools of your choice, check if packets are being received on these ports. If not receiving, re-check the FTD logging configuration.
If none of the above repairs work, raise a CDO support ticket.