Views:

You are unable activate your DSVA because of an error in communicating with the vShield manager.
You cannot connect to the vShield manager because of any of the following:

  1. Check the description of the error why the activation failed. Most of the time, the problem is self-explanatory.

    Unable to activate the Agent/Appliance because the Agent/Appliance has already been activated by another Deep Security Manager.

  2. Check if the Deep Security Manager (DSM) is able to resolve the hostname or FQDN of the agent.
     
    The name of the machine that appears in the computers section is the one used by DSM to communicate with the agent.

    C:\> nslookup Win7-32.seg.local
    Server: seg-dc.seg.local
    Address: 10.10.1.1
    Name: Win7-32.seg.local
    Address: 10.10.1.200

    check if DSM can resolve the hostname/FQDN of the agent

  3. Check if DSA is able to resolve the hostname or FQDN used by the server. You can find the DSM name used for communication by logging into the web console and going to System > System Information > System Activity > Deep Security Manager object.

    C:\> nslookup dsm.test.com
    Server: dc.test.com
    Address: 10.10.1.1
    Name: dsm.test.com
    Address: 10.10.1.50

  4. Check and make sure that the system time for DSA and DSM are synchronized.
  5. Check the DSA and make sure that it is not activated or registered to another Deep Security Manager.
    • To check if DSA is activated or not:
      • Go to the \Program Files\Trend Micro\Deep Security Agent install directory.
      • Look for these three (3) files:
        • config.bin
        • ds_agent.config
        • ds_agent_dsm.crt

    • If these files are available, it means that the agent is already activated.

Alternatively, you may open the certificate file, ds_agent_dsm.crt, and go to the Details tab to verify the manager where the agent is activated from.

open the certificate file

If the DSM where it is registered is no longer available, deactivate the DSA:

  • Open a command prompt.
  • Go to the \Program Files\Trend Micro\Deep Security Agent install directory.
  • Run this command to reset and deactivate the agent: dsa_control.exe /r
    • The message "Agent reset successfully" appears after successfully completing the command.

    • Deactivate DSA via command prompt

6. You may activate the Deep Security Agent from the Deep Security Manager web console or via command line.
  1. Log on to the DSM web console.
  2. Do the following:
    • For Deep Security 8.0 and below, go to System > System Settings > Computers tab.
    • For Deep Security 9.0 and above, go to Administration > System Settings > Computers tab.
  3. Enable the Allow Agent Initiated Activation option and select For Any Computers.
  4. Go to the Deep Security Agent and open a command prompt.
  5. Go to the \Program Files\Trend Micro\Deep Security Agent installation directory.
  6. Run this command to activate the agent:

    dsa_control.exe /a dsm://<hostname-FQDN>:4120/

    The message "Command Session Completed" appears after successfully completing the command.

    Activate DSA via command line

If you encountered an error when activating from the DSM web console, check the agent system events for any error message. If you encountered an error when activating the DSA locally, enable additional logging to determine the cause of the activation error.

  • Go to the C:\\Windows directory.
  • Create a file named ds_agent.ini.
  • Add this parameter to the file to enable the debug:

    trace=*

  • Activate the agent using the command line method.

Common Issues Related to Agent Activation

EXPAND ALL

Issue 1: Deep Security Manager hostname is not reachable

Deep Security Manager hostname is not reachable

When this issue occurs, make sure the hostname can be resolved correctly.

Issue 2: Deep Security Manager certificate has already expired

DSM certificate has already expired

To resolve this issue, make sure the date and time of both DSM and DSA are synchronized.

Issue 3: Duplicate name in the Deep Security Manager database

There is a duplicate name in the DSM database

To resolve the issue, check for possible duplicate hostname in the DSM web console and delete the duplicate name manually.

Issue 4: Possible corrupted database files on the Deep Security Agent

To resolve the issue:

  • Reset the current DSA configuration by running this command under the ..\Program Files\Trend Micro\Deep Security Agent installation directory:

    dsa_control.exe /r

  • Stop the Trend Micro Deep Security Agent Service.
  • Manually delete the following files under the Deep Security Agent folder:
    • All files with *.db extension
    • All files with *.crt extension
  • Start the Trend Micro Deep Security Agent Service.
  • Perform another agent activation and check the result.

Issue 5: Error in communicating with the vShield manager

You are unable to activate your DSVA because of an error in communicating with the vShield manager. You cannot connect to the vShield manager because of any of the following:

  • The DSVA activation failed and shows "Error code: 3".

    Activation Failed:
    Registration of the Appliance with vShield Manager has failed.
    There was an error in communication between the Deep Security Virtual appliance and the vShield Manager. Please try running this wizard again. (Error code: 3)

    Activate Deep Security Virtual Appliance

  • There is a missing security certificate.

    Unable to connect to the vShield Manager due to missing or invalid certificate. Please try to Add/Update Certificate before connecting.

     
    If the alert only shows "Invalid credential for vShield Manager appears", just ensure that the username and password is correctly typed.

    dacvpcenter properties

  • There is a missing security VM on vShield Manager.

    vShield Endpoint Health and Alarms

    Below is a sample correct endpoint tab showing DSVA as a Security VM:

    Active Alarms

  • You are unable to ping DSVA from vShield manager or other computers.

To resolve the issue:

  1. Open your DSM console and highlight vCenter from the navigation pane.
  2. Right-click and select Properties.
  3. On the General tab, check if your settings are correct and click Test Connection. You will be notified if the connection is successful or not.

    dacvpcenter properties

  4. On the vShield Manager tab, click the Add/Update Certificate... button, accept the changes and click Close.
  5. On the vShield Manager tab, click Test Connection. You will be notified if the connection is successful or not.

    dacvpcenter properties

  6. On the DSM console select vCenter on the navigation pane and choose the affected DSVA. Reactivate the DSVA and verify if it is successful.

    DSM console

Issue 6: Activation Failed (Protocol Error) appears during VM activation

The error message "Activation Failed (Protocol Error)" appears when activating a virtual machine. Clicking on the error message will show the following details:

Level: Error
Event ID: 705
Event: Activation Failed
Event Origin: Appliance

Description:
An error occurred in the Deep Security Manager to Deep Security Agent/Appliance protocol: ProtocolException: Just created a virtual agent, queried for it, and it still thinks there is NO_SUCH_UUID, uuid: 4216367b-2ddb-78f1-f2fe-c7776ff0320c.

no such UUID

When a VM is created, the vCenter notifies the Deep Security Manager (DSM). This prompts the Master Agent in the Deep Security Virtual Appliance (DSVA) to instantiate a virtual agent for that VM.

The error occurs due to either of the following:

  • The vCenter was unable to notify the DSM when the VM was deployed to ESX.
  • The Master Agent failed to create a virtual agent for the VM.

To resolve the issue, reboot the DSVA before activating the VM:

  • Log in to the vCenter using vSphere client.
  • Look for the DSVA and press F2 to log in.
  • Click Reboot System.
  • Activate the VM.
Keywords: error 620,unable to register dsva