Views:
To determine the root cause of the issue, we need to know where the information has become out of sync. We should check whether DSM is no longer in sync with the VC or if it is the DSVA that has gone out of sync with the VM.
First, you need to check the error message from the DSM console to figure out which VM and which interface has the issue.
  • Check the specific VM interfaces.
  1. Log on to the VM.
  2. Open a command prompt and type: ipconfig /all
  3. Double-check all the NICs and MAC addresses here. See if all the NICs have the correct driver and if they are working properly.
  • Check the VM interface information in vCenter.
  1. You can check the VM interface information from the Managed Object Reference (MoRef) in the vCenter Server. Access the VC MOB from the web browser and go to:
    https://<VC_SERVER>/mob/?moid=<OBJECT_ID>
    For example: https://192.168.100.100/mob/?moid=vm-1136&doPath=config
    Where:
    <VC_SERVER> is the FQDN or IP of the vCenter Server
    =<OBJECT_ID> is the ID of the object you are looking up
    You can refer to this VMWare KB article for more information on how to access the VC MOB: Looking up Managed Object Reference (MoRef) in vCenter Server
  2. Go to Config > extraConfig["ethernet0.filter0……"] > hardware to check all the NICs and MAC address.
  3. Compare the MAC addresses with Step 3 above (first bullet).
  • Check the vmx file and the VM interface information in DSM.
  1. Use the vCenter Server datastore browser to download the specific VM’s vmx file.
  2. Open the vmx file using Notepad and check the IPs, uuid.bios, and MAC addresses.
    For example:
    -----------------------------------------------------------------
    Check VM UUID
    – uuid.bios = "42 23 d6 5d f2 d5 22 41-87 41 86 83 ea 2f 23 ac"
    Check EPSec Settings
    – VFILE.globaloptions = "svmip=169.254.50.39 svmport=8888"
    – scsi0:0.filters = "VFILE“
    Check DvFilter Settings
    – ethernet0.filter0.name = "dvfilter-dsa"
    – ethernet0.filter0.onFailure = "failOpen"
    – ethernet0.filter0.param0 = "4223d65d-f2d5-2241-8741-8683ea2f23ac"
    – ethernet0.filter0.param2 = "1"
    – ethernet0.filter0.param1 = "00:50:56:A3:02:D8"
    ---------------------------------------------------------------------
  3. Go to the DSM dashboard, and then double-click the specific VM > Interfaces. Double-check the IPs and MAC addresses.
  4. Compare the IP and MAC address with the results from the other bullets above.
  • Check the VM interface information in DSVA.
  1. Use the vCenter Server datastore browser to download the specific VM’s vmx file.
  2. Open the vmx file using Notepad and check the uuid.bios value.
  3. Log on to the DSVA console and press “Alt + F2” to switch to command mode. Enter the DSVA username and password.
  4. Run the following command to verify if the VM’s interface was recognized by DSVA.
    cd /var/opt/ds_agent/guests/$uuid
    Note: Input your real uuid.bios here to replace “$uuid”.
    >/opt/ds_guest_agent/ratt if
    "ratt if" command
    The “ratt” command normally has this output if DSVA is able to recognize the VM NIC.
    "ratt" command output when DSVA is able to recognize the VM NIC
  5. Execute the “ifconfig –a” command to verify if the DSVA NIC settings and IP are configured correctly.
  6. Compare the IP and MAC address with the results from the bullets above.
You will need to fix this issue if any of the above items are out of sync.
Here are your workaround options:
Option I
When cloning an activated VM in Deep Security, you may encounter interface out-of-sync alert if you power on and activate VM. As a work around, clean the dvfilter settings before powering on the cloned VM.
--------------------------------------------------------
– ethernet0.filter0.name = "dvfilter-dsa"
– ethernet0.filter0.onFailure = "failOpen"
– ethernet0.filter0.param0 = "4223d65d-f2d5-2241-8741-8683ea2f23ac"
– ethernet0.filter0.param2 = "1"
– ethernet0.filter0.param1 = "00:50:56:A3:02:D8"
--------------------------------------------------------
Option II
  1. Suspend the specific VM and power it on again.
  2. Restart DSVA.
  3. Deactivate the VM and then activate it again.
Option III
vMotion the specific VM to a protected host and then clean the warning message.
Note: The vCenter must be connected to DSM all the time. Otherwise, the interface out of sync issue will happen often.
For further troubleshooting, do the following:
  1. Provide the result of Step 6 (bullet 4).
  2. Get the rattif.txt file from Step 4 (bullet 4).
  3. Get the output of the following commands:
    -------------------------------------------------
    $ ls -alR > /home/dsva/ls.txt
    $ netstat -an > /home/dsva/netstat.txt
    $ ps auxww > /home/dsva/ps.txt
    $ lsof > /home/dsva/lsof.txt
    $ ifconfig –a > /home/dsva/ifconfig.txt
    $ cp /var/log/syslog /home/dsva/syslog.txt
    --------------------------------------------------
  4. Get the diagnostic packages for DSM, DSA, and DSVA.
  5. Collect the following files:
    • rattif.txt
    • ls.txt
    • netstat.txt
    • ps.txt
    • lsof.txt
    • ifconfig.txt
    • syslog.txt
  6. Send the files to Trend Micro Technical Support.
In case you cannot find the VM’s MAC address from the output of the “ratt if” command, then use this workaround:
  1. Deploy a VM from a template in vCenter.
  2. Delete the existing NIC.
  3. Power on this VM, but there is no need to log on.
  4. Power off this VM.
  5. Add a new NIC.
  6. Power on VM.
Keywords: VM interface information,interface out of sync,interface information,interface error message,DSM not in sync with VC ,DSVA not in sync with VM