Views:
On the TPS device via CLI;
 
  1. Ensure that the device is not already managed by another SMS. "show sms"
  2. Ensure that the SMS management setting is not set for a specific SMS "show config sms". If you need to clear this setting, run the "conf t sms no must-be-ip" command.
  3. Ensure that the command "host ip-filter" is not blocking your IP address. To view the configuration, run the command "show config host". The "show host" command will show the last filtered IP by "host ip-filter" rules. Modify with the command "conf t host ip-filter."
  4. Check the system time on the device, "sh clock", "sh con clock", "sh sntp", "sh con sntp", "sh ntp", and "sh con ntp". The system time should be the same (within a minute or two) of the SMS. The best practice is to point the deice to the SMS for time sync.
  5. Verify SNMP settings on IPS.
    1. "sh snmp"
    2. "sh con snmp"
    3. "debug show ini -k user [SMS]"
Network Configuration:
 
  1. Verify what network ports (TCP/UDP) are open between the SMS and the IPS/TPS device(s). For additional information, read the following article. https://success.trendmicro.com/solution/TP000085738
  2. If the Ping command is supported, ping between the device(s) and the SMS in both directions to ensure proper network routing.
  3. Confirm the logical network topology and design for the management network relative to the IPS device(s) and the SMS appliance(s).
  4. Ensure that both switch port and IPS management interfaces are negotiated at Full Duplex. ("show int mgmt" for IPS)
  5. Verify that the MTU size between the SMS and the IPS is at least 1500. (However, over some WAN(s), the SMS's MTU may need to be lowered for Legacy IPS.)
  6. Verify any network tunneling and what type(s) are implemented between the IPS device management interface and the SMS management interface. (This can impact MTU.)
    1. For SMS, "ping -M do -s 1472 <Device IPv4>" (With the default 28 bits of ICMP header, these packets should be MTU 1500.)
    2. For IPS/TPS, "ping <SMS IPv4>"
  7. Verify the network interface and MTU settings on the SMS. (This step can be skipped if #11 succeeded without fragmented packets.)
    1. "get net"
    2. "ifconfig eth0 mtu" or "get net.mtu"
    Important: If the MTU on the SMS is lower than 1500, contact the TAC for instructions.
From the SMS
 
  1. Verify synchronized time and time zone settings between the SMS and the device(s) in question. "get time", "get ntp"
  2. Verify if the SMS SSL certificate may have been recently updated.
  3. Test SNMP from the SMS for the device in question.
    1. snmpwalk -v 2c -c tinapc <Device IPv4>
    2. get device.debug-ips-snmp?<IPS IPv4 Address>
    3. get device.debug-ips-soap?IP_address_of_IPS
Errors reported on the SMS?
 
  1. Possible, Example Error #1: An error has occurred: Security zone for port 1 does not exist.
  2. Possible, Example Error #2: An error has occurred: Failed to get ips security zones: <device's mgmt. IP address> socket timed out: Read timed out
Other Troubleshooting steps (working with TAC is highly recommended):
 
  1. Packet capture / tcpdump from SMS while managing the IPS. "tcpdump -i eth0 -s 0 host IP_address_of_IPS -w /mgmt/client/tmp/manage-device.pcap"
    1. Note: SMS service mode is required in order to perform network captures using TCPDump. (TAC required)
    2. Note: Network traffic capture file may be either downloaded from SMS via HTTPS or from the SMS GUI under "Admin > Reports and Archives".
  2. If necessary, perform IPS Filter Reset on IPS.
    1. Note: Ensure that the IPS device is not busy before this activity by issuing the following CLI command: "debug busy-wait"
    2. Note: It is recommended to place the device into manual Layer-2 Fallback (L2FB) before performing a filter reset; otherwise, if the device is busy, then performing a filter reset without first enabling manual L2FB may result in a device crash.
    3. Note: It is recommended to collect the entire output of the "show config" CLI command in order to capture the virtual segment configuration before performing the filter reset.
    4. Note: An organizational maintenance change request is recommended before performing this activity.
  3. Reboot the IPS device.
    1. Note: An organizational maintenance change request is recommended before performing this activity. (Maybe the same as the previous step.)
    2. Note: If a reboot has already been performed, then perform a full reboot to re-initialize the hardware.
  4. If necessary, perform a factory reset on the IPS via command line, "debug factory-reset".
    1. Note: An organizational maintenance change request is recommended before performing this activity. (Maybe the same as the previous step.)
HELPFUL COMMANDS:
 

SMS

  • get sw
  • snmpwalk -v 2c -c tinapc IP_address_of_IPS #(version 2c; community string 'tinapc')
  • get device.debug-ips-snmp?IP_address_of_IPS
  • get device.debug-ips-soap?IP_address_of_IPS
  • tcpdump -i eth0 -s 0 host IP_address_of_IPS -w /mgmt/client/tmp/manage-device.pcap #(file can be downloaded from SMS via HTTPS)
  • ping -M do -s 1472 IP_address_of_IPS

Windows

  • ping -f -l 1500 IP_address_of_IPS

 

Keywords: Unable to manage TPS device from my SMS