Cannot register new Sourcefire sensor


Article ID: 168018


Updated On:




Defense Center doesn't accept Sourcefire new sensor registration

When adding new a Sourcefire member into a VAP group using the application-update command, registering a sensor fails, and the following message is displayed in the UI:

"Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection."


Sourcefire indicates that this may be due to the CGI crashing, or due to administrative collisions while using the database.




1.       If this is first time adding sensors or increasing VAP members using application-update, check the first column of each /etc/sf/ca_root/index.txt line for R (revoke) on Defense Center. Sometimes, Sourcefire can successfully revoke the certificate if the registration doesn't complete.

Steps to be done on Defense Center

R 191214130500Z 091216140526Z 05 unknown /CN=localhost/OU=Intrusion Management System/O=Sourcefire, Inc./title=d47256e2-ea32-11de-ae93-f6b8a38e9285/generationQualifier=sftunnel

2.       If there is no revoked certificate, start the mysql client on Defense Center

·    mysql -padmin sfsnort

3.       Clear the certificate

·    Get sensor UUID for known IP address of failed sensor

·    Run this command and save results for future use. Note: It could return no value.

·    Exit mysql

·    Select ssl_peer.service from ssl_peer where ssl_peer.service = (select uid from sensor where ip='IP_PEER');

4.       Get the Certificate ID

·    cat /etc/sf/ca_root/index.txt | grep "<UUID of above sensor>"

5.       Revoke Certificate

·    sfca_revoke/etc/sf/ca_root 0x?? (where ?? is the third column in the results of the grep)

6.       Delete ssl_peer entry

·    delete from ssl_peer where ssl_peer.service = (select uid from sensor where ip='IP_PEER');

7.       Delete peer ip from EM_Peers

·    delete from EM_peers where ip='IP_PEER';

8.       Delete sensor

·    delete from sensor where ip='IP_PEER';


Steps to be done on each vap member:

1. Rsh to vap

[[email protected] admin]# rsh us1sxsnid03_2

2. Load Sourcefire environment variables
us1sxsnid03_2 (x80-3): root$ source /opt/sf/profile

3. Delete current Defense Center registration
us1sxsnid03_2 (x80-3): root$ /opt/sf/usr/local/sf/bin/
Removing existing managers...
What is the management host (optional)?
What is the registration key? admin
What is the unique NAT ID (optional)?
What is the registration port (8305)?
Restarting the system...done
us1sxsnid03_2 (x80-3): root$

4. Login to Defense Center GUI using admin account to re-add sensor

4.1. Go to Operations > Sensors
4.2. Click New Sensor
4.3. Type vap-member management IP address
4.4. Type same registration key when you installed sensor on the vap
4.5. Leave unique NAT ID blank (default)
4.6. Don't select Prohibit Packet Transfer to the Defense Center
4.7. If exists, select sensor group where this sensor will belongs to
4.8. Click Add to finish