Views:

Case 1: Upgrade failure, WAF (Web application Firewall) replaced the certificate

Refer to the following logs:

2023-01-30 03:30:03 INFO update type: auto, auto update enable: true, auto update day: 0, auto update time: 23:00, image uri: https://sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com/sg-va/master/1.0.0.10144/upgrade-service-gateway-1.0.0.10144.tar.gz?{hide_some_private_parameters}, image size: 1083117543, image sha256: f55b16b9650b3f67845b2d95cd7ba9cb0c88749c55277c8040aeb9835e1bb095, appliance bandwidth control enable: true, appliance bandwidth: 10000KB, target appliance version: 1.0.0.10144.

......

2023-01-30 03:30:06 ERROR fail to refresh docker client credential to access aws ECR for appliance firmware or container image upgrade., return code[2]

2023-01-30 03:30:06 INFO cleanup history download appliance firmware images.

--2023-01-30 03:30:06--  https://sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com/sg-va/master/1.0.0.10144/upgrade-service-gateway-1.0.0.10144.tar.gz?{hide_some_private_parameters}

......

ERROR: cannot verify sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com's certificate, issued by ‘/C=US/ST=CA/L=CU/O=TREND/OU=IWS/CN=TREND.IWS.2’:

  Self-signed certificate encountered.

To connect to sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com insecurely, use `--no-check-certificate'.

2023-01-30 03:30:06 ERROR fail to download the appliance firmware image for version 1.0.0.10144 from https://sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com/sg-va/master/1.0.0.10144/upgrade-service-gateway-1.0.0.10144.tar.gz?{hide_some_private_parameters}

2023-01-30 03:30:06 INFO will pull new container image 049597112809.dkr.ecr.ap-southeast-1.amazonaws.com/magicbox/sg-ads-container:1.0.0.10022.

Error response from daemon: Get https://049597112809.dkr.ecr.ap-southeast-1.amazonaws.com/v2/: x509: certificate signed by unknown authority

Refer to the following analysis:

Service Gateway 1.0 uses FQDN "sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com" to update firmware package for Service Gateway Virtual Appliance.
In a network environment that uses Web Application Firewall (WAF) or Layer 7 firewall, when the connection between the Service Gateway and cloud server passes through it, which replaces the cloud server's certificate, it causes the Service Gateway process to abort the connection.
In this case, the keywords are "ERROR: cannot verify sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com's certificate, issued by ‘/C=US/ST=CA/L=CU/O=TREND/OU=IWS/CN=TREND.IWS.2’:" which means it has a WAF/firewall to replace the certificate with HTTPS connection.

To resolve this issue:

Bypass the FQDN from the WAF/firewall, so the connection will not handled by either.
For this case, bypass the "sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com" from the IWS product.

The following provides a self-diagnostic method to narrow down a network issue.

Run "connect" command to verify the DNS and some cloud servers.

If "connect" fails, use "configure" command to check the reason.
Use the DNS setting to verify the FQDN.

For different regions, please refer to this Help Center article, Ports and URLs Used by the Service Gateway Virtual Appliance, to find the regional FQDN and verify it.
Connect to the Service Gateway registration service. For this command, HTTP response 200 is correct result.
Connect to Service Gateway Configuration service. For this command, HTTP response 404 is correct result.

If you are not able to find the root cause, collect the logs from the CLI console and contact Trend Micro Support.

Case 2: Service Gateway 2.0 update issue

Refer to the following logs:

2023-02-14 05:17:04 INFO task content :{"taskType": "upgradeAppliance", "targetVersion": "2.0.8.10448", "firmwarePath": "https://upload.xdr.trendmicro.com/sgi/appliance/2.0.8.10448/sg-va-2.0.8.10448.tar.xz?{hide_some_private_parameters}", "firmwareSha256": "947808362d063102387f6bfac12147af2c5a75fc787fe384b60553db26cd45a6", "taskId": "6ef532a9-7078-4c02-8836-XXXXXXXXXXXX", "token": {token}, "url": "api.xdr.trendmicro.com//external/v2/direct/sgi/external/sgi/api/v1/appliance/937919b6-67a3-4337-be92-XXXXXXXXXXXX/task"}

......

2023-02-14 05:17:04 INFO appliance execute task is {"taskType": "upgradeAppliance", "targetVersion": "2.0.8.10448", "firmwarePath": "https://upload.xdr.trendmicro.com/sgi/appliance/2.0.8.10448/sg-va-2.0.8.10448.tar.xz?{hide_some_private_parameters}", "firmwareSha256": "947808362d063102387f6bfac12147af2c5a75fc787fe384b60553db26cd45a6", "taskId": "6ef532a9-7078-4c02-8836-63627422de74", "token":  {token}, "url": "api.xdr.trendmicro.com//external/v2/direct/sgi/external/sgi/api/v1/appliance/937919b6-67a3-4337-be92-XXXXXXXXXXXX/task"}

--2023-02-14 05:17:05--  https://upload.xdr.trendmicro.com/sgi/appliance/2.0.8.10448/sg-va-2.0.8.10448.tar.xz?{hide_some_private_parameters}

Resolving upload.xdr.trendmicro.com (upload.xdr.trendmicro.com)... 54.192.18.10, 54.192.18.27, 54.192.18.39, ...

Connecting to upload.xdr.trendmicro.com (upload.xdr.trendmicro.com)|54.192.18.10|:443... connected.

HTTP request sent, awaiting response... 200 OK

……

2023-02-14 05:29:26 (47.3 KB/s) - Read error at byte 35340122/1553804028 (Connection reset by peer). 2023-02-14 05:29:26 INFO download firmware package response 1

2023-02-14 05:29:26 ERROR firmware sha256 is difference download:87135ce6ce0ea3c88b0a1f30970a975336729f47a1e1bcfc3dd21ceda21f977e, firmware:947808362d063102387f6bfac12147af2c5a75fc787fe384b60553db26cd45a6

Refer to the following analysis:

According to the debug logs, the connection was "reset" when the Service Gateway downloaded the firmware package, so the Service Gateway reported an unmatched SHA-256 of the firmware file.
The issue is caused by network bandwidth issue.

To resolve this:

Configure the Service Gateway, update firmware in the idle time.
Consult this issue with the network administrator to isolate the network issue.
Increase the network bandwidth.

If you are not able to find the root cause, collect the logs from the CLI console and submit a new case to Trend Micro Support.

Service Gateway update failure troubleshooting tips

Product / Version includes:

Trend Vision OneAll

Last updated: 2023/10/26

Solution ID: KA-0013957

Category: Troubleshoot

Summary

Service Gateway firmware update may fail due to network concerns. This article presents actual cases of typical network issues that have been reported, as well as their corresponding solutions and workarounds.

EXPAND ALL

Case 1: Upgrade failure, WAF (Web application Firewall) replaced the certificate

Refer to the following logs:

2023-01-30 03:30:03 INFO update type: auto, auto update enable: true, auto update day: 0, auto update time: 23:00, image uri: https://sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com/sg-va/master/1.0.0.10144/upgrade-service-gateway-1.0.0.10144.tar.gz?{hide_some_private_parameters}, image size: 1083117543, image sha256: f55b16b9650b3f67845b2d95cd7ba9cb0c88749c55277c8040aeb9835e1bb095, appliance bandwidth control enable: true, appliance bandwidth: 10000KB, target appliance version: 1.0.0.10144.

......

2023-01-30 03:30:06 ERROR fail to refresh docker client credential to access aws ECR for appliance firmware or container image upgrade., return code[2]

2023-01-30 03:30:06 INFO cleanup history download appliance firmware images.

--2023-01-30 03:30:06--  https://sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com/sg-va/master/1.0.0.10144/upgrade-service-gateway-1.0.0.10144.tar.gz?{hide_some_private_parameters}

......

ERROR: cannot verify sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com's certificate, issued by ‘/C=US/ST=CA/L=CU/O=TREND/OU=IWS/CN=TREND.IWS.2’:

  Self-signed certificate encountered.

To connect to sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com insecurely, use `--no-check-certificate'.

2023-01-30 03:30:06 ERROR fail to download the appliance firmware image for version 1.0.0.10144 from https://sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com/sg-va/master/1.0.0.10144/upgrade-service-gateway-1.0.0.10144.tar.gz?{hide_some_private_parameters}

2023-01-30 03:30:06 INFO will pull new container image 049597112809.dkr.ecr.ap-southeast-1.amazonaws.com/magicbox/sg-ads-container:1.0.0.10022.

Error response from daemon: Get https://049597112809.dkr.ecr.ap-southeast-1.amazonaws.com/v2/: x509: certificate signed by unknown authority

Refer to the following analysis:

Service Gateway 1.0 uses FQDN "sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com" to update firmware package for Service Gateway Virtual Appliance.
In a network environment that uses Web Application Firewall (WAF) or Layer 7 firewall, when the connection between the Service Gateway and cloud server passes through it, which replaces the cloud server's certificate, it causes the Service Gateway process to abort the connection.
In this case, the keywords are "ERROR: cannot verify sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com's certificate, issued by ‘/C=US/ST=CA/L=CU/O=TREND/OU=IWS/CN=TREND.IWS.2’:" which means it has a WAF/firewall to replace the certificate with HTTPS connection.

To resolve this issue:

Bypass the FQDN from the WAF/firewall, so the connection will not handled by either.
For this case, bypass the "sg-v1-sg-cdt-log.s3.ap-southeast-1.amazonaws.com" from the IWS product.

The following provides a self-diagnostic method to narrow down a network issue.

Run "connect" command to verify the DNS and some cloud servers.

If "connect" fails, use "configure" command to check the reason.
Use the DNS setting to verify the FQDN.

For different regions, please refer to this Help Center article, Ports and URLs Used by the Service Gateway Virtual Appliance, to find the regional FQDN and verify it.
Connect to the Service Gateway registration service. For this command, HTTP response 200 is correct result.
Connect to Service Gateway Configuration service. For this command, HTTP response 404 is correct result.

If you are not able to find the root cause, collect the logs from the CLI console and contact Trend Micro Support.

Case 2: Service Gateway 2.0 update issue

Refer to the following logs:

2023-02-14 05:17:04 INFO task content :{"taskType": "upgradeAppliance", "targetVersion": "2.0.8.10448", "firmwarePath": "https://upload.xdr.trendmicro.com/sgi/appliance/2.0.8.10448/sg-va-2.0.8.10448.tar.xz?{hide_some_private_parameters}", "firmwareSha256": "947808362d063102387f6bfac12147af2c5a75fc787fe384b60553db26cd45a6", "taskId": "6ef532a9-7078-4c02-8836-XXXXXXXXXXXX", "token": {token}, "url": "api.xdr.trendmicro.com//external/v2/direct/sgi/external/sgi/api/v1/appliance/937919b6-67a3-4337-be92-XXXXXXXXXXXX/task"}

......

2023-02-14 05:17:04 INFO appliance execute task is {"taskType": "upgradeAppliance", "targetVersion": "2.0.8.10448", "firmwarePath": "https://upload.xdr.trendmicro.com/sgi/appliance/2.0.8.10448/sg-va-2.0.8.10448.tar.xz?{hide_some_private_parameters}", "firmwareSha256": "947808362d063102387f6bfac12147af2c5a75fc787fe384b60553db26cd45a6", "taskId": "6ef532a9-7078-4c02-8836-63627422de74", "token":  {token}, "url": "api.xdr.trendmicro.com//external/v2/direct/sgi/external/sgi/api/v1/appliance/937919b6-67a3-4337-be92-XXXXXXXXXXXX/task"}

--2023-02-14 05:17:05--  https://upload.xdr.trendmicro.com/sgi/appliance/2.0.8.10448/sg-va-2.0.8.10448.tar.xz?{hide_some_private_parameters}

Resolving upload.xdr.trendmicro.com (upload.xdr.trendmicro.com)... 54.192.18.10, 54.192.18.27, 54.192.18.39, ...

Connecting to upload.xdr.trendmicro.com (upload.xdr.trendmicro.com)|54.192.18.10|:443... connected.

HTTP request sent, awaiting response... 200 OK

……

2023-02-14 05:29:26 (47.3 KB/s) - Read error at byte 35340122/1553804028 (Connection reset by peer). 2023-02-14 05:29:26 INFO download firmware package response 1

2023-02-14 05:29:26 ERROR firmware sha256 is difference download:87135ce6ce0ea3c88b0a1f30970a975336729f47a1e1bcfc3dd21ceda21f977e, firmware:947808362d063102387f6bfac12147af2c5a75fc787fe384b60553db26cd45a6

Refer to the following analysis:

According to the debug logs, the connection was "reset" when the Service Gateway downloaded the firmware package, so the Service Gateway reported an unmatched SHA-256 of the firmware file.
The issue is caused by network bandwidth issue.

To resolve this:

Configure the Service Gateway, update firmware in the idle time.
Consult this issue with the network administrator to isolate the network issue.
Increase the network bandwidth.

If you are not able to find the root cause, collect the logs from the CLI console and submit a new case to Trend Micro Support.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Service Gateway update failure troubleshooting tips

Case 1: Upgrade failure, WAF (Web application Firewall) replaced the certificate

Case 2: Service Gateway 2.0 update issue

Service Gateway update failure troubleshooting tips

Product / Version includes:

Summary

Case 1: Upgrade failure, WAF (Web application Firewall) replaced the certificate

Case 2: Service Gateway 2.0 update issue