The error message "Activation Failed (Agent/Appliance rejected generated certificate)" appears on the DSVA editor.

On the DSM server0.log located at %Program Files\Trend Micro\Deep Security Manager\, the following entries appear:

Jun 19, 2018 6:53:36 AM com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation activateIfNecessary  WARNING: ThID:291|TID:0|TNAME:Primary|UID:-1|UNAME:|Activation job failed. Reset certificate. Host ID: 77  com.thirdbrigade.manager.core.general.exceptions.AgentRejectionOfAgentCertificateException: Agent rejected agent certificate      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation.performActivation(HostUpdaterSessionForActivation.java:620)      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation.activateIfNecessary(HostUpdaterSessionForActivation.java:518)      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation.establishCommandProtocolSession(HostUpdaterSessionForActivation.java:324)      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterJob.onRun(HostUpdaterJob.java:647)      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.Job.run(Job.java:183)      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)      at java.util.concurrent.FutureTask.run(FutureTask.java:266)      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)      at java.lang.Thread.run(Thread.java:748)

The issue may be caused by the time configuration on the DSVA. The appliance will inherit the configuration of the ESXi host. It is recommended to use an NTP server to synchronize the time and date. Moreover, it is best practice to keep the time and date of the whole vSphere environment in-sync.

1. In the vSphere Web Client, navigate to the host in the vSphere inventory.
2. Select Manage, and select Settings.
3. Under System, select Time configuration and click Edit.
4. Select an option for setting the time and date of the host. For more information, you may refer to this VMware article: Edit time configuration for a host.
5. Manually activate and upgrade the DSVA on the DSM console.

On the vSphere Web Client > Networking and Security > Installation > Service Deployments, the service status shows "Unknown".

To resolve the issue:

1. If the Port Group is set to "Specified on Host" during Deep Security service deployment, check if the host's Agent VM settings are correct.

   

   1. Select the host in the vSphere Web Client inventory.
   2. Click the Configure tab, then select Agent VM Settings.

   

2. Confirm that the appliance is getting the correct IP address. If you are using an IP pool, make sure that the Gateway and DNS information are correct and that the IP address range is unassigned.

   

   

   To simply verify that the IP address is bounded to the DSVA, do the following steps:

   1. Open a command prompt on the Deep Security Manager (DSM) server.
   2. Run the following command to display the ARP cache entry of the DSVA IP.

      arp -a <DSVA IP address>

      

   3. On vSphere web client, click the DSVA under Hosts and Clusters then go to Summary > VM Hardware. Click the drop down button besides Network Adapter. Verify if the MAC address is the same as the result of the arp command ran earlier. If it is not, the IP is being used by another device in the network.

   

3. If all networking configurations are already correct, restart the DSVA from the vSphere web client, then reactivate and upgrade manually from the DSM console. Otherwise, redeploy the Deep Security Service in the NSX Manager Service Deployments page.