0

I'm using Cisco Netflow Collector software and it was collecting netflow data as expected until server admin disabled iptables and security admin enabled firewall for the server. Now it is giving below exception.

The collector is running on internal/private server and Cisco NFC license is tied to public ip and hence hostname is set to public ip in /etc/hosts file

[2015-09-29 12:03:41 GMT+05:30] INFO com.cisco.nfc.cnsxml.CNSXMLMonitor - Starting CNS/XML Interface for NFC 6.0.0 [standard image, build 31]...
[2015-09-29 12:06:51 GMT+05:30] ERROR com.cisco.nfc.cnsxml.CNSXMLMonitor - Could not start CNS Event Service transport
java.rmi.ConnectException: Connection refused to host: <public IP>; nested exception is:
        java.net.ConnectException: Connection timed out
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:574)
        at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:185)
        at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:171)
        at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:306)
        at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
        at java.rmi.Naming.rebind(Naming.java:160)
        at com.cisco.nfc.cnsxml.CNSXMLMonitor.<init>(CNSXMLMonitor.java:163)
        at com.cisco.nfc.cnsxml.CNSXMLMonitor.main(CNSXMLMonitor.java:192)
Caused by: java.net.ConnectException: Connection timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
        at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
        at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
        at java.net.Socket.connect(Socket.java:519)
        at java.net.Socket.connect(Socket.java:469)
        at java.net.Socket.<init>(Socket.java:366)
        at java.net.Socket.<init>(Socket.java:179)
        at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:22)
        at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:128)
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:569)
        ... 7 more

The sec admin has allowed ports 22 and 1099 but yet the above exception is thrown. Do i need to change configuration in server or in firewall?

Tejas Belur
  • 1
  • 2
  • Use telnet to ping the port. It will make sure you can access the port. Then try this. Otherwise you may need to configure firewall to open the port – Viswanath Lekshmanan Sep 30 '15 at 10:52
  • What was the suppressed port number in the exception? Was it 1099? Or some other number? And why are you trying to bind to your Registry by its public IP address in the first place? Try `"localhost"`. – user207421 Sep 30 '15 at 11:05
  • Hi Vishwanath, Currently three routers are configured to export netflow data to public ip of the collector server. Telnet to public ip from the routers is working but telnet to public ip from private ip is getting timed out. – Tejas Belur Sep 30 '15 at 11:22
  • @EJP, I do not see port number in exception, just the public IP. The Cisco NFC license is tied to the public ip (NAT not physical) and hence hostname is assigned public ip in /etc/hosts file and hence RMI binding to public ip instead of localhost. When binding to localhost the exception goes away but collector throws license exception – Tejas Belur Sep 30 '15 at 11:27
  • So you got further into the application. You need to adopt this change and then solve the next problem. The RMI Registry doesn't depend on any licensing scheme. When binding, there is never any point in using any hostname other than localhost. You can't bind to a remote Registry, and clearly this Registry isn't remote. – user207421 Sep 30 '15 at 12:41
  • @EJP, Sec team informed that they changed configuration. Initially the public IP was physical IP on the server & iptables was used for f/w rules. Later iptables ws disabled, server ws brought behind corp f/w & public IP ws changed frm physical server IP to logical NAT IP. This is when the issue started. Sec team will not revert to original setup but are willing to configure f/w rules as required. Port 1099 is allowed in f/w but still 'connection refused' error persists. What am I missing? (`telnet 1099` command gets timed out but 'telnet 1099` is successful) – Tejas Belur Oct 05 '15 at 05:35
  • This issue was resolved by using a new license from cisco generated using the private IP. Thanks Vishawanath and EJP for your help. – Tejas Belur Oct 09 '15 at 06:06

1 Answers1

0

This issue was resolved by using a new license from cisco generated using the private IP. Thanks Vishawanath and EJP for your help.

Tejas Belur
  • 1
  • 2