Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

CSC connection failure with on-prem Analytics

Is there any other port used by on-site analytics? perform all the analytics release rules for ESX, but or CSC, 
still has connection failures. I have already reviewed how syslog settings on the firewall. 
As the ports used for clearance were 31031 and 514.


Category: Capture Security Center
Reply

Answers

  • SaravananSaravanan Moderator

    Hello @ODANIELSANTIAGO__ 

    I hope you are safe and well!

    On-Prem analytics uses only ports such as TCP/UDP 31031 and UDP 514. As per your post, it seems like the communication between the firewall and analytics fail. More or less it seems like a connectivity issue here. I have listed few prerequisites and possible troubleshooting steps below. Hope these can help you to figure out to get the communication channel open between firewall and analytics.

    Prerequisites:

    • Firewalls supported by an On-Premises Analytics instance must be in a single Group or Tenancy.
    • The firewalls added to On-Premises Analytics should not have Reporting and Analytics enabled in CSC.
    • Each firewall should have HTTPS management enabled.
    • Firewall added to CSC using Zero Touch are NOT supported for On-Premises Analytics.

    Troubleshooting steps:

    • You can do a packet capture on the firewall referring below KB article web-link to ensure if the firewall can send and receive packets on the ports.

    https://www.sonicwall.com/support/knowledge-base/how-can-i-setup-and-utilize-the-packet-monitor-feature-for-troubleshooting/170513143911627/

    • Please check if you have port TCP/UDP 31031 opened on gateway router/firewall if any between the SonicWall firewall and the analytics.
    • You could perform a telnet port test from a PC/workstation in the same subnet as that of the firewall to the analytics IP address using below command,

    C:\Users>telnet analyticsIP 31031 || There should be a blank screen in the cmd prompt for a successful communication establishment.

    Please check the recommendations, try the suggestions and let me know how it goes.

    Thank you. Have a good day!!!

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hello, thank you very much for the answer, as I still have this problem. Really the tests on the doors are not ok, see the image below.
    


    I already looked in the console shell for some way to validate it, and I didn't find it.
    the server is on the network responding to ping and with internet access, I validated the nat rules, all right.
    


  • SaravananSaravanan Moderator

    Hi ODANIELSANTIAGO__,

    Thanks for trying out the recommendations. I'm glad that you were able to try those.

    As per the screenshot, the telnet seems to be unsuccessful for the TCP 31031 whereas for the other port UDP 514, the telnet test is not applicable since telnet is test meant for TCP ports.

    As per the telnet results, its obvious that the communication between firewall and analytics doesnt happen for some reason.

    My quick suggestion on this would be,

    • to check if the port TCP/UDP 31031 is opened on the gateway router/firewall if any between the SonicWall firewall and the analytics.
    • perform a traceroute test from a PC/workstation in the same subnet as that of the firewall to the analytics IP address using below command. The results will tell you where at which hop between the firewall and analytics, the connection breaks.

    C:\Users>tracert analyticsIP

    Please let me know how it goes.

    Regards

    Saravanan V

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hello,
    Thanks for the quick response.
    Below the result
    
    https://prnt.sc/s8kg22
    
    
    


  • My configuration for analytics on-prem

    https://prnt.sc/s8komp

  • SaravananSaravanan Moderator

    Hi ODANIELSANTIAGO__,

    Thanks for sharing the results and analytics configuration.

    As per the screenshots, looks like the connectivity is proper. But for some reason, the analytics connection status alone is not coming up. So, I recommend you doing a packet capture on the SonicWall firewall using packet monitor feature and on the analytics server using wireshark tool to dig more into the root cause and find a possible fix. It would be easier for you to go through the packet traces with our support team. You can lodge a support case for analytics product and contact the technical team using below web-link reference.

    I hope this helps further!

    Regards

    Saravanan V

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hello good Morning,
    Several attempts were made in unsuccessful, re-installation of analyzes on site and even changed the ip address.
    What address can you use to monitor packages when adding a unit in the CSC?
    
    


  • BrianBrian SonicWall Employee

    From your initial post it looks like you are setup for sending syslogs to an on-prem deployment that is flow based. Please check if your on-prem license is for syslog or flow and make sure you deploy your server for what you are licensed for. If it is for flow based reporting then make sure GMS flow server settings are correct and that content filtering service is enabled. Hope this helps.

  • Hi, thanks for the reply, unfortunately I haven't been successful yet.

    I reconfigured everything again,

    On-prem as syslog based https://prnt.sc/sc8jd3

    Enabled on mysonicwall as syslog analytics https://prnt.sc/sc8k0m

  • BrianBrian SonicWall Employee

    Thanks for the screen shots, the setup looks correct now. Make sure logging level on the firewall is set to 'inform' located at log>settings and confirm that syslogs are sent to the on-prem analytics. Also you need to add the unit to the on-prem analytics by clicking the '+' icon you see in tree control panel. If still an issue after that, please open a support case for further troubleshooting.

  • Hello,
    Returning here to update my case, on site, I added my 5 tz300, but I managed to collect data through a s2s vpn that I created, between the site and the firewall.
    In the syslog of each firewall, it is possible to put the ip in place, through vpn.
    Still no communication between csc and on-prem.
    


    https://prnt.sc/sgqz8l

  • Hello,
    Returning here to update my case, on site, I added my 5 tz300, but I managed to collect data through a s2s vpn that I created, between the site and the firewall.
    In the syslog of each firewall, it is possible to put the ip in place, through vpn.
    Still no communication between csc and on-prem.
    
    In the on-prem firewall, it has a nat configured with the following ports 514UDP and 31031 TCP / UDP
    
    In addition, I tried a local telnet on port 31031, but I am also unsuccessful.
    
    https://prnt.sc/sgqz8l
    


    https://prnt.sc/sgqz8l

Sign In or Register to comment.