Troubleshooting and Best Practices
These are some errors that you can experience. For more troubleshooting information, see the sk111060 - ATRG: vSEC / CloudGuard for VMware NSX.
Service Registration: Not connected to a known vCenter
Symptom
This error shows when you select an NSX Security Gateway for Service Registration:
|
|
Solution
Make sure that the host name of the vCenter (which was registered to the NSX Manager) is used when creating the vCenter Data Center object. If the names are different, then the CloudGuard CLI cannot recognize the connection between the NSX Management Server and the vCenter Server.
Service Registration: Failed to Create Service
Symptom
This error shows:
|
|
Solution
Make sure that the NSX Manager and the Security Management Server or Multi-Domain Server can communicate using port 443.
Service Registration: Failed to Locate OVF File
Symptom
This message shows:
|
|
Solution
-
Make sure you have a
/vefolder is configured. -
You can also download the OVF file to a different folder location.
Go to CloudGuard VMware Service Manager > Change Global Configuration > Manage Service OVF's and configure as necessary.
Service Deployment Failure
Symptom
This error shows when there is a service deployment failure:
|
|
Solution
Make sure the OVF files can be reached from the vCenter Server.
Make sure you are using the correct OVF files.
To confirm that the OVF files can be reached:
-
In the VMware vSphere Web Client, navigate to Home > Networking and Security > Installation > Service Deployments.
-
Click on Status in the Installation status column of the relevant service.
-
Click Resolve to power on the CloudGuard Gateway.
Cannot Call Security Solution
Symptom
This error shows when you cannot call a security solution:
Error "Unable to call security solution , please check security solution configuration: Error during REST callback : PUT to the registered ServiceManager at : https://<Service Manager Address>/vmware/2.0/agents/ caused by : I/O error: No route to host; nested exception is java.net.NoRouteToHostException: No route to host. Deployment Plugin execution failed"
|
Cause
The NSX Manager Server failed to correctly communicate with the Check Point Security Management Server or Multi-Domain Server.
Next steps:
|
Step |
Description |
|
|---|---|---|
| 1 |
Make sure the Check Point Security Management Server or Multi-Domain Server is powered on. |
|
| 2 |
Make sure the Security Management Server or Multi-Domain Server process is up and running:
|
|
| 3 |
Make sure the NSX Manager Server can communicate with the Security Management Server or Multi-Domain Server using port 443. Communication to the Check Point Security Management Server or Multi-Domain Server goes to port 443, and then is redirected to port 8443. Port 8443 is used by the Security Management Server or Multi-Domain Server process. |
Agent VM on Host is Expected to be Powered On
Symptom
This error shows when there is a powered off CloudGuard Gateway Virtual Machine on one of the hosts:
|
|
Solution:
|
Step |
Description |
|---|---|
| 1 |
In the VMware vSphere Web Client, go to Home > Networking and Security > Installation > Service Deployments. |
| 2 |
Click Status in the Installation status column of the relevant service. |
| 3 |
Click Resolve to turn on the CloudGuard Gateway. |
Agent VM is Missing on Host
Symptom
This error shows when there is an ESXi host server without a CloudGuard Gateway deployed on it:
Agent VM is missing on host{host.name} ({agencyName}) |
Solution:
|
Step |
Description |
|---|---|
| 1 |
In the VMware vSphere Web Client, open Home > Networking and Security > Installation > Service Deployments. |
| 2 |
Click Status in the Installation status column of the relevant service. |
| 3 |
Click Resolve to try the CloudGuard Gateway deployment again. |
Agent VM Settings on Host are Missing
Symptom
This error shows:
| No agent datastore/network configuration on host |
Solution:
The CloudGuard Gateway cannot be deployed, due to missing host server configurations. Set Agent VM settings. See Configuring Agent VM Host Settings.
If the Service VM agent is not deployed, follow these steps to re-initiate the deployment:
|
Step |
Description |
|---|---|
| 1 |
In the VMware vSphere Web Client, open Home > Networking and Security > Installation > Service Deployments. |
| 2 |
Click Status in the Installation status column of the relevant service. |
| 3 |
Click Resolve to try the CloudGuard Gateway deployment. |
Automatic Provisioning Failed to Create Management Network Objects
Symptom
After three failures, the auto provisioning feature stops trying to create objects in SmartConsole. Every 10 minutes all the deployed CloudGuard Gateways are matched with the NSX Manager database and created or deleted.
This error shows:
| Error Failed creating cluster object. Maximum retries exceeded for object. Please configure the object manually |
Solution:
|
Step |
Description |
|---|---|
| 1 |
Edit the Set |
| 2 |
Make sure the Security Management Server or Multi-Domain Server and the CloudGuard Gateway have the same date, time, and timezone. Run: If they are not the same, run: |
| 3 |
Remove failed objects in SmartConsole or the GuiDBedit Tool. |
| 4 |
Reset SIC initialization. On the CloudGuard Gateway, run:
|
| 5 |
Wait at least ten minutes for the objects to be created. |
CloudGuard for NSX Administration Guide