Download PDF
Download page Troubleshooting Cisco Secure Application Issues.
Troubleshooting Cisco Secure Application Issues
This page provides common troubleshooting actions that you can take to solve Cisco Secure Application issues.
Cisco Secure Application Does Not Start
- Cisco Secure Application runs with monitored application processes. At startup, Cisco Secure Application attempts to create its own log directory. An OS user, under which monitored application processes run, must have Read, and Write access to all Cisco AppDynamics, and Cisco Secure Application related directories, libraries, and installed components. Otherwise, Cisco Secure Application will not start.
Ensure that you update OS permissions. To do this, grant Read, and Write access to the existing owner of the Cisco Secure Application directories by issuing the command from a terminal (on Linux platforms):
find external-services/argentoDynamicService -type d -exec chmod g+w {}
CODE
Cisco Secure Application Permissions Are Unavailable in the Role Configuration
- Check if the Controller version meets the requirements. See Cisco Secure Application Requirements.
- If the permissions are unavailable even when the Controller version is supported, ensure that you have activated the Cisco Secure Application license for the Controller. To get a Cisco Secure Application license, contact the Cisco AppDynamics sales representative, or email salesops@appdynamics.com.
Cisco Secure Application for OpenTelemetry Is Not Loading
Cisco Secure Application for OpenTelemetry may take 20+ minutes for the initial application and security findings to appear in the Controller.
Disable Cisco Secure Application at Agent Start-up
The dynamic service for bootstrapping Cisco Secure Application within the Java Agent is enabled by default. However, if you need to disable the Cisco Secure Application dynamic service, you can use any of the following ways. The properties below disable Cisco Secure Application within an agent only while launching the monitored application process. The properties can't stop an already running instance of the Cisco Secure Application service.
The properties multi-tenant-agent-enabled
and multi.tenant.agent.no.service.startup
impact not only Cisco Secure Application, but other multi-tenant agent services. To disable just the Cisco Secure Application dynamic service, see disable-dynamic-services.
Apply the node property from the Controller UI. You can use any one of the following node properties:
Property Name Value multi-tenant-agent-enabled
false
disable-dynamic-services
argentoDynamicService
- Add the System Property
-Dmulti.tenant.agent.no
.service.startup=true
in JVM arguments.
Spring Boot Application Start-up Issues
Spring Boot versions with Java Development Kit (JDK) version 11 have issues loading Java Archive (JAR) files when SecurityManager
is enabled. Because Cisco Secure Application uses the Java Security Manager, the Spring Boot bug may prevent class loading, causing application and container start-up failures. To troubleshoot that issue, add the system property: -Dsun.misc.URLClassPath.disableJarChecking=true
and re-run the application.
Security Events Widget Is Not Displayed in an Application Flow Map
- You can view the Security Events widget after the license activation. Ensure that you have the Cisco Secure Application license. To get a Cisco Secure Application license, contact the Cisco AppDynamics sales representative, or email salesops@appdynamics.com.
- If the widget is not displayed even when the license is activated, then confirm with the administrator that the account has the necessary permissions to view or configure Cisco Secure Application. See Account Permissions.
Number of Registered Nodes and Active Nodes Does Not Match
On the Applications page, drilldown in the application to identify the inactive node. Check the APM agent logs on the inactive node(s). See Troubleshooting Java Agent Issues.
Vulnerabilities or Attacks Are Not Displayed on the Home, Vulnerabilities, or Attacks Page
- Ensure that the Security Setting is set to Enabled on at least one of the applications, tiers, or nodes within the Applications page. Also, that the agents are registered and active. See Monitor Security Status of Applications.
- If the vulnerabilities and attacks are not displayed even when the Security Setting is enabled, review the following troubleshooting scenarios to identify other potential issues.
Number of Enabled Nodes and Registered Nodes Does Not Match
- Check if the nodes that have Security Status set to Enabled use the APM Agent version that meets the requirements. See Cisco Secure Application Requirements.
- If the agent version is supported, then drilldown in the Application view to identify the unregistered node(s). Check the APM agent logs on the unregistered node(s). See Troubleshooting Java Agent Issues.
Security Setting is Enabled and No Libraries Are Listed
- Confirm that there are active nodes in the Application view. See Monitor Security Status of Applications.
- It is also possible that there are no third-party libraries used in the monitored applications.
Security Setting is Enabled and No Vulnerabilities Are Listed
- Confirm that there are active nodes in the Application view. See Monitor Security Status of Applications.
- Verify that there is a vulnerability policy enabled, and that it has an action of Detect or Patch for a monitored application with active nodes. See Cisco Secure Application Policies.
- It is also possible that there are no vulnerabilities within the third-party libraries used within the monitored applications or observed in the application behavior.
Security Setting is Enabled and No Attacks Are Listed
- Confirm that there are active nodes in the Application view. See Monitor Security Status of Applications.
- Verify that there is an attack policy enabled, and that it has an action of Detect or Block for a monitored application with active nodes. See Cisco Secure Application Policies.
- It is also possible that there are no attacks detected in the monitored applications.
The Applications Page Display the Node Not Active Message for an Active Node
The Cisco AppDynamics dashboard displays the node data even when the node is displaying as not active in the Cisco Secure Application Dashboard.
This issue may occur when there are multiple versioned Java Agent directories. The Java Agent can use the configuration from any one of the versioned directories while keeping the Jar file in the top-level (global) directory.
In this scenario, Cisco Secure Application may not consider the configuration from the same versioned directory. Therefore, to ensure that Cisco Secure Application library uses the configuration from the same versioned directory, update the version of the directory using this property:
- For updating as system property:
-Dmulti.tenant.agent.use.apm.config.version=<version-folder-name>
CODEversion-folder-name
is the required versioned directory name. For example:-Dmulti.tenant.agent.use.apm.config.version=ver21.6.0.32672
. - For updating as an environment variable:
MT_AGENT_USE_APM_VERSION_PROPERTY=<version-folder-name>
CODEversion-folder-name
is the required versioned directory name. For example:MT_AGENT_USE_APM_VERSION_PROPERTY=ver21.6.0.32672
.
Splunk Integration - Connection Issue
All traffic originating from the Oregon Datacenter environment will have one of the following source IP addresses:
34.218.183.67
52.88.49.75
34.218.135.55
44.224.91.190
44.224.93.208
100.21.44.47
35.163.240.75
100.21.168.150
44.224.41.204
To view the of lists current Cisco AppDynamics SaaS IP ranges and domains for each region, see SaaS Domains and IP Ranges.