Summary
Cloned VMWare virtual machines with an active DSA, without an associated vCenter connector, may result in the associated DSA’s communicating to a single computer resource in Workload Security. Having more than one DSA communicating to the same Workload Security resource will impair communications and computer management for the respective DSA’s.
It is recommended to have a data center gateway created and an associated vCenter account enabled in Workload Security. As a benefit, changes to the vCenter computer resources are updated automatically and will prevent the issues being outlined in this article.
Successful vCenter connector synchronization requires up to date and accurate proxy credentials.
Without a working vCenter connector setup in Workload Security, the cloned vCenter resources, with an already active DSA, will communicate to the Manger with the same DSA configuration and the Manger will not distinguish between them. This results in the Manager directing all communications for the clones to the same Manager computer resource.
When encountering this, the following issues can be seen:
- With Activity Monitoring enabled, MQTT offline issues will occur.
- Repeated system event ID 735 "Misconfiguration Detected" may be seen.
- If an impacted DSA status or configuration is different from the other impacted DSA’s, the associated computer resource in the Manager may change its state rapidly. As an example, the DSA version could change continuously if any of the impacted DSA are upgraded, or security status could alter between up-to-date and out-of-date, etc.
- Managing changes to the hosts could be impacted where upgrades, policy updates etc., may not start or complete properly.
- The impacted resource may not properly update security rules and patters to ensure the best security protection.
- The above impacts may lead to the DSA’s rapid heart-beating and consuming unnecessary network bandwidth.
There are 3 options to resolve this:
- Option 1: Configure data center gateway to Workload Security to let the cloned DSA be identified and add VMware vCenter as data center gateway. A reactivation with wanted policy for the clones is needed to help them find the right host entry.
- Option 2: To prevent the issue from happening, change the cloning process to not clone VMWare resources with active DSA’s. Instead, clone a resource with the DSA inactive and activate the DSA afterwards. This way, the DSA will be activated with the updated unique BIOS UUID and ensure a dedicated Manager computer resource. To address the issue for existing DSA’s, please reset and activate all impacted DSA’s.
- Option 3: Workload Security has a controlled update, currently being rolled out globally. This change will be able to identify DSA’s with the same configuration and a unique Virtual UUID (BIOS UUID) during a heartbeat and automatically create a new computer resource in the Manager.
Please consider enabling automatic upgrade in the Agent upgraded system setting options.
Option 3 only works for a virtual machine clone with a unique Virtual UUID (BIOS UUID). For some visualization applications, the cloned virtual machines may not have a unique Virtual UUID (BIOS UUID). In such situations, it is recommended to follow the vendor documentation to change the Virtual UUID (BIOS UUID) to be a unique value and reactivate the DSA with Workload Security.
It is expected to see more computer entries being created as the issue is being resolved, as the unique virtual machines get assigned a unique computer resource in the Workload Security Manager. As such, this may increase the host count and be reflected in the license usage or billing.
