5 Replies Latest reply on Dec 10, 2013 3:06 PM by sliedl

    Data for host has expired

    badams

      Hi,

       

      I've stumbled across the following audit log and was hoping someone can help me interpret it.

       

      Dec  6 16:16:09 2013 CST  f_acld a_server t_error p_major

      pid: 2406 ruid: 0 euid: 0 pgid: 2406 logid: 0 cmd: 'acld'

      domain: Acld edomain: Acld hostname: ns1.company.com

      +|acld|ERROR|MAJOR|ACLD|SERVER

      =Data for host (policy>host>crl.globalsign.com) has expired. Please make sure there is no DNS problem.

       

      We are getting dozens of these every second on an appliance running 7.0.1.02.  They all reference a DNS host object defined in the policy, but the host objects do resolve to an IP.  Any idea what the problem may be?  Thanks.

       

      -Ben

        • 1. Re: Data for host has expired

          Hello,

           

          Can you attach the output of "cf package list" from the firewall please?

           

          How is the firewall setup for DNS, split or transparent?

           

          How are you testing that crl.globalsign.com resolves, it could be that the firewall's processes themselves are not able to resolve the hostname (depending on the configuration) even if you are able to do a dig or nslookup and resolve it.

           

          -Matt

          • 2. Re: Data for host has expired
            badams

            Hi Matt,

             

            Below are the results from "cf package list".  The firewall is configured for split DNS and I tested the DNS resolution directly from the firewall by running a dig on the hosts.

             

             

             

                                                         Local Packages

                                                      -------------------

                                   CommandCenter Management Version: 7.0.1.02.CC.5.1.0.01.04

            What              When               Status     Description

            ================= ================== ========== =======================================================

            70100             28-Jul-09 05:30    installed  Sidewinder 7.0.1.00 IPv6 Phase 1

            70101             28-Jul-09 05:30    installed  Sidewinder 7.0.1.01 FIPS 140-2 Level 2

            70102             28-Jul-09 05:30    installed  Sidewinder 7.0.1.02 Transparent Firewall with McAfee AV and Profiler

            70102HW01         28-Jul-09 05:30    obsolete   Sidewinder 7.0.1.02.HW01 F Model Hardware Support

            70102H03          10-Feb-10 14:26    installed  Sidewinder 7.0.1.02.H03 Profiler

            70102H04          10-Feb-10 14:26    installed  Sidewinder 7.0.1.02.H04 HA DNS

            70102H05          10-Feb-10 14:26    obsolete   Sidewinder 7.0.1.02.H05 Scanner DAT file descriptor leak

            70102H08          10-Feb-10 14:26    obsolete   Sidewinder 7.0.1.02.H08 Apply P3 to BIND 9.4.3 to fix DoS

            70102H09          10-Feb-10 14:26    obsolete   Sidewinder 7.0.1.02.H09 Hardware Enhancements

            70102H11          04-Mar-10 00:49    obsolete   Sidewinder 7.0.1.02.H11 TCP fastpath fix

            70102H12          04-Mar-10 00:49    installed  Sidewinder 7.0.1.02.H12 Improve resilience against renegotiation attacks

            70102E27          18-Mar-10 08:48    installed  Sidewinder 7.0.1.02.E27 Significantly improve GUI Network Objects and Rules screens' performance.

            70102H14          15-Dec-10 06:52    installed  Sidewinder 7.0.1.02.H14 Improve IPS signature set coverage

            70102H15          15-Dec-10 06:52    installed  Sidewinder 7.0.1.02.H15 make fast path smarter

            70102H16          15-Dec-10 06:52    installed  Sidewinder 7.0.1.02.H16 TE support for CC 5.0 new packet capture feature

            70102H17          15-Dec-10 06:52    installed  Sidewinder 7.0.1.02.H17 fix traceback in config reporter

            70102HW02         15-Dec-10 06:52    obsolete   Sidewinder 7.0.1.02.HW02 Rev B - New network hardware (updated em and ix drivers, new igb driver)

            70102CC4000706    11-Jan-11 09:37    installed  Sidewinder 7.0.1.02. CommandCenter 70102CC4000706

            70102CC5100104    12-Jan-11 09:52    installed  Sidewinder 7.0.1.02. CommandCenter 70102CC5100104

            70102E138         01-Feb-11 12:01    installed  Sidewinder 7.0.1.02.E138 Make acld no long blocking a query due to host expiration or missing

            70102H19          12-Dec-11 23:31    obsolete   Sidewinder 7.0.1.02.H19 NTPD, kernel, avupdate.pyc maintenance patch

            70102H20          12-Dec-11 23:31    installed  Sidewinder 7.0.1.02.H20 NTPD, avupdate, Kernel and Hardware Patch

            70102H21          06-Dec-11 14:14    loaded     Sidewinder 7.0.1.02.H21 Restore MBR

            70102H22          12-Dec-11 23:31    installed  Sidewinder 7.0.1.02.H22 bind maintenance patch

            • 3. Re: Data for host has expired

              Hello,

               

              Interesting. Ok, I think that the best bet would be to contact support and open a case. I can see two possible problems here:

               

              1) the process responsible for host objects (hostd) is not able to resolve that name, even though a dig works properly

              2) there is a problem with the hostd process thinking that the object is not resolving when it is

               

              Do you have any other host objects? Are they having the same issue?

               

              -Matt

              • 4. Re: Data for host has expired
                badams

                Thanks for the quick response.  I'll get a case opened. 

                 

                We do have a rather large number of host objects defined and, although I haven't verified, it appears we are getting a message for each one.

                • 5. Re: Data for host has expired
                  sliedl

                  You should upgrade your firewalls to 70103H08 because there are fixes for hostd in the later versions.  Also, 70102 is no longer supported.