Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
993
Views
0
Helpful
0
Replies

CDO "connection-events" in SWC Sensor Stopped / Down

bmurphree@myemma.com
Level 1
Level 1

‎03-18-2022 09:47 AM

This week I ran into an issue that seems rather unexplained, but I felt I should mention it to help others, especially during this awkward time with being many potential targets of the current rampage of cyberattacks during the Ukraine attack.

I use CDO (Cisco Defense Orchestrator) and StealthWatch Cloud (SWC), now called Security Analytics. After some time of successful use, the long "arm" between CDO and SWC failed. It was assumed by TAC that this could mean "the firewall" stopped logging to CDO, or lost its connection to CDO.

But we have many sets of HA FTD firewalls that report to CDO. So what gives? Why the sudden and quiet failure as shown below? Why would a multitude of firewalls all stop communicating at once?

Screen Shot 2022-03-17 at 10.29.26 AM.png

It's confusing enough to know exactly how CDO, SWC, and SecureX all play together, but this was perplexing. Did the API key fail? What there some new version of SWC or CDO deployed through scrum that failed?

Well, here's what I found: Nothing. No rhyme or reason. It just failed. We're all guessing as to exactly what caused the trouble or what caused CDO to stop talking to SWC. My only guess was changing the hostnames of the firewalls.

The fix: Un-register and re-register all firewalls with CDO. Once the first pair was re-registered, the connection-events sensor came back online in SWC.

 

RFC 1925
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents