Understanding and troubleshooting 'Unhealthy' Service Gateway status

Product / Version includes:

Trend Vision OneAll

Last updated: 2024/04/23

Solution ID: KA-0013960

Category: Troubleshoot

Summary

The Service Gateway maintains a heartbeat signal to the Vision One Cloud every 30 seconds to 5 minutes. If the cloud fails to receive a heartbeat for up to 5 minutes, the Service Gateway's status will be marked as unhealthy.

As a result, it is not uncommon for the Service Gateway to occasionally become unhealthy and then return to normal after a short period of time. This article will enumerate some known causes of this issue.

EXPAND ALL

Incorrect system time

One possible reason for "unhealthy" status could be an incorrect Service Gateways system time.

Service Gateway backend should be UTC+0 time zone.

If time is incorrect, Service Gateway will disconnect Vision One and show "unhealthy" status.

To resolve this, add Service Gateway's NTP server by using the following Service Gateway command, then sync time to make sure Service Gateway system time is correct.

# configure ntp {NTP server address}

Kubernetes service does not start because the certificate is expired

When connecting to the Service Gateway to enable the administrative functions, the following error is received:

"Kubernetes service starting. Wait a few minutes and try again. (3)"

Extracted CDT package from service gateway and found the following entries which lines up with when the SG went offline:

"Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-12-02T09:09:20Z is after 2022-11-28T23:08:50Z"

To resolve this, contact Trend Micro Technical Support to get the account login information.
For Service Gateway 1.0:

For Service Gateway 2.0:

Execute the command "microk8s refresh-certs", and wait for it to finish.
Reboot the OS.
Execute the command "microk8s refresh-certs --cert /var/snap/microk8s/current/certs/server.crt", and wait for it to finish.
Reboot the OS.

Network issue

During upgrades of the Vision One Cloud, the heartbeat tunnel may be unstable for a couple of minutes.
When Service Gateway is performing an upgrade, the duration of the process depends on the CPU/RAM/Disk/Network performance and the number of services installed. This may last from 30 minutes to 5 hours. During the upgrade, the heartbeat will not be sent until the network is reconfigured and the appliance configuration is reapplied, which may lead the Cloud to detect it as unhealthy.
If the network is unstable and a single heartbeat delivery fails, the heartbeat is not designed to retry to prevent message flood. If the only heartbeat message is lost within 5 minutes due to network throttling, the Cloud may mark it as unhealthy too.
If the Service Gateway is under high load and the CPU/RAM/Disk is under high load, the heartbeat thread may be hung too long, exceeding 5 minutes.
Run "show sg" command to collect the SG status information and take screenshot. The highlighted message has the key information:
Run "connect" command to verify the connection status and take a screenshot, for example:

Unsupported CPU

To check if the CPU is supported, you may refer to How to check if Service Gateway 2.0 can upgrade to Service Gateway 3.0 in Trend Vision One.

If the issue persists, use "log collect" command to collect debugging data and submit it to Trend Micro Technical Support.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Understanding and troubleshooting 'Unhealthy' Service Gateway status

Incorrect system time

Kubernetes service does not start because the certificate is expired

Network issue

Unsupported CPU

Understanding and troubleshooting 'Unhealthy' Service Gateway status

Product / Version includes:

Summary

Incorrect system time

Kubernetes service does not start because the certificate is expired

Network issue

Unsupported CPU