After deploying the Trend Micro Deep Security Service on VMware NSX, the Deep Security Virtual Appliance (DSVA) will be automatically activated and upgraded to the highest version available locally on the Deep Security Manager (DSM). On Deep Security 9.6 and earlier builds of 10.0, the appliance's initial version is 9.5.2-2202. Meanwhile, for Deep Security 11.0 and higher, the initial version is 11.0.0-211.
There are instances wherein the DSVAs were deployed successfully but the activation failed. This article lists down the common error messages and steps on how to resolve it. Before proceeding, make sure that the following were already checked on the DSM console:
- Navigate to Administration > Relay Management > Relay Group and make sure at least one member of the relay group is functional.
- On Computers, right-click vCenter and click Synchronize Now. The vCenter server and NSX Manager synchronization must be successful.
The error message "Activation Failed (Agent/Appliance rejected generated certificate)" appears on the DSVA editor.
On the DSM server0.log located at %Program Files\Trend Micro\Deep Security Manager\, the following entries appear:
Jun 19, 2018 6:53:36 AM com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation activateIfNecessary WARNING: ThID:291|TID:0|TNAME:Primary|UID:-1|UNAME:|Activation job failed. Reset certificate. Host ID: 77 com.thirdbrigade.manager.core.general.exceptions.AgentRejectionOfAgentCertificateException: Agent rejected agent certificate at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation.performActivation(HostUpdaterSessionForActivation.java:620) at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation.activateIfNecessary(HostUpdaterSessionForActivation.java:518) at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation.establishCommandProtocolSession(HostUpdaterSessionForActivation.java:324) at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterJob.onRun(HostUpdaterJob.java:647) at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.Job.run(Job.java:183) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
The issue may be caused by the time configuration on the DSVA. The appliance will inherit the configuration of the ESXi host. It is recommended to use an NTP server to synchronize the time and date. Moreover, it is best practice to keep the time and date of the whole vSphere environment in-sync.
- In the vSphere Web Client, navigate to the host in the vSphere inventory.
- Select Manage, and select Settings.
- Under System, select Time configuration and click Edit.
- Select an option for setting the time and date of the host. For more information, you may refer to this VMware article: Edit time configuration for a host.
- Manually activate and upgrade the DSVA on the DSM console.
On the vSphere Web Client > Networking and Security > Installation > Service Deployments, the service status shows "Unknown".
To resolve the issue:
- If the Port Group is set to "Specified on Host" during Deep Security service deployment, check if the host's Agent VM settings are correct.
- Select the host in the vSphere Web Client inventory.
- Click the Configure tab, then select Agent VM Settings.
- Confirm that the appliance is getting the correct IP address. If you are using an IP pool, make sure that the Gateway and DNS information are correct and that the IP address range is unassigned.
To simply verify that the IP address is bounded to the DSVA, do the following steps:
- Open a command prompt on the Deep Security Manager (DSM) server.
- Run the following command to display the ARP cache entry of the DSVA IP.
arp -a <DSVA IP address>
- On vSphere web client, click the DSVA under Hosts and Clusters then go to Summary > VM Hardware. Click the drop down button besides Network Adapter. Verify if the MAC address is the same as the result of the arp command ran earlier. If it is not, the IP is being used by another device in the network.
- If all networking configurations are already correct, restart the DSVA from the vSphere web client, then reactivate and upgrade manually from the DSM console. Otherwise, redeploy the Deep Security Service in the NSX Manager Service Deployments page.