search cancel

Web GUI not available in Security Analytics

book

Article ID: 227530

calendar_today

Updated On:

Products

Security Analytics Security Analytics - VA

Issue/Introduction

The Security Analytics sensor and a provider may not be communicating.  Determining whether network traffic is being exchanged or what is being exchanged may be needed.  tcpdump is a good tool used extensively by the networking world. 

Another cause for login failure is when using LDAP user credentials on the sensor do not match the LDAP server. There are methods to check for the cause. 

Cause

The firewall was changed during the upgrade but the process is the same for all in and outbound traffic through eth0, aka bond0.

The system password may have been changed on the LDAP server.

Resolution

  • Port 80 and port 443 traffic was not reaching and returning to the desktop web browser as expected.  This may be the same for snmp, syslog, radius, ldap, or any other external providers.  The traffic is sent but nothing is returned.  From either the desktop or from the sensor.
  • The universal tcpdump tool is available on Security Analytics from the command line as root.  This will allow the user to capture traffic going to or from the management interface on the server for later inspection.  The network port or full tcp conversation can be selectively captured to reduce the amount of traffic for inspection.
  • The most simple form for tcpdump on SA is tcpdump -i bond0.  There are other options or switches to specify which port or which host is most interesting.  To specify the host, run tcpdump -i bond0 host 10.11.12.13 or to specify the port, run tcpdump port 80.  You can also specify both with tcpdump -i bond0 host 10.11.12.13 and port 80.  To write the packets to a file, run tcpdump -i bond0 host 10.11.12.13 and port 80 -w port80.pcap.  To read the packets, run tcpdump -r port80.pcap, or whichever file was specified.
  • The provider may not be configured to receive traffic from the SA box. 
  • The firewall is not allowing traffic through.  
  • The username or password was not correct.  
  • The firewall was reconfigured during an upgrade.

Once the traffic makes it from the Security Analytics system to the provider, then most services work as expected.  It will take more investigation to determine if the username and password combination are correct or if there are other restrictions.  There are tools like ethereal on a desktop which are very good to interpret the data or you can import the pcap directly into the SA sensor.

You can check for LDAP server access or authentication failures by running grep -i ldap /var/log/messages, after logging in as root to the command line using ssh.  Does the system return "Invalid credentials"?  If so, set the system user password in Settings -> Authentication.