Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deep Security Virtual Appliance (DSVA) activation fails

    • Updated:
    • 19 Feb 2019
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 10.2
    • Deep Security 10.3
    • Deep Security 11.0
    • Deep Security 11.1
    • Deep Security 11.2
    • Deep Security 11.3
    • Deep Security 9.6
    • Platform:
    • VMware ESXi 5.5
    • VMware ESXi 6.0
    • VMware ESXi 6.5
    • VMware ESXi 6.7
Summary

After deploying the Trend Micro Deep Security Service on VMware NSX, the Deep Security Virtual Appliance (DSVA) will be automatically activated and upgraded to the highest version available locally on the Deep Security Manager (DSM). On Deep Security 9.6 and earlier builds of 10.0, the appliance's initial version is 9.5.2-2202. Meanwhile, for Deep Security 11.0 and higher, the initial version is 11.0.0-211.

There are instances wherein the DSVAs were deployed successfully but the activation failed. This article lists down the common error messages and steps on how to resolve it. Before proceeding, make sure that the following were already checked on the DSM console:

  • Navigate to Administration > Relay Management > Relay Group and make sure at least one member of the relay group is functional.
  • On Computers, right-click vCenter and click Synchronize Now. The vCenter server and NSX Manager synchronization must be successful.
Details
Public

The error message "Activation Failed (Agent/Appliance rejected generated certificate)" appears on the DSVA editor.

Activation Failed

On the DSM server0.log located at %Program Files\Trend Micro\Deep Security Manager\, the following entries appear:

Jun 19, 2018 6:53:36 AM com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation activateIfNecessary  WARNING: ThID:291|TID:0|TNAME:Primary|UID:-1|UNAME:|Activation job failed. Reset certificate. Host ID: 77  com.thirdbrigade.manager.core.general.exceptions.AgentRejectionOfAgentCertificateException: Agent rejected agent certificate      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation.performActivation(HostUpdaterSessionForActivation.java:620)      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation.activateIfNecessary(HostUpdaterSessionForActivation.java:518)      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSessionForActivation.establishCommandProtocolSession(HostUpdaterSessionForActivation.java:324)      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterJob.onRun(HostUpdaterJob.java:647)      at com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.Job.run(Job.java:183)      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)      at java.util.concurrent.FutureTask.run(FutureTask.java:266)      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)      at java.lang.Thread.run(Thread.java:748)

The issue may be caused by the time configuration on the DSVA. The appliance will inherit the configuration of the ESXi host. It is recommended to use an NTP server to synchronize the time and date. Moreover, it is best practice to keep the time and date of the whole vSphere environment in-sync.

  1. In the vSphere Web Client, navigate to the host in the vSphere inventory.
  2. Select Manage, and select Settings.
  3. Under System, select Time configuration and click Edit.
  4. Select an option for setting the time and date of the host. For more information, you may refer to this VMware article: Edit time configuration for a host.
  5. Manually activate and upgrade the DSVA on the DSM console.

On the vSphere Web Client > Networking and Security > Installation > Service Deployments, the service status shows "Unknown".

Unknown status

To resolve the issue:

  1. If the Port Group is set to "Specified on Host" during Deep Security service deployment, check if the host's Agent VM settings are correct.

    Port group is set to specified on host

    1. Select the host in the vSphere Web Client inventory.
    2. Click the Configure tab, then select Agent VM Settings.

    Check the Agent VM settings

  2. Confirm that the appliance is getting the correct IP address. If you are using an IP pool, make sure that the Gateway and DNS information are correct and that the IP address range is unassigned.

    Check IP pool

    Check IP address

    To simply verify that the IP address is bounded to the DSVA, do the following steps:

    1. Open a command prompt on the Deep Security Manager (DSM) server.
    2. Run the following command to display the ARP cache entry of the DSVA IP.
      arp -a <DSVA IP address>

      Display ARP cache entry

    3. On vSphere web client, click the DSVA under Hosts and Clusters then go to Summary > VM Hardware. Click the drop down button besides Network Adapter. Verify if the MAC address is the same as the result of the arp command ran earlier. If it is not, the IP is being used by another device in the network.

    Verify the MAC address

  3. If all networking configurations are already correct, restart the DSVA from the vSphere web client, then reactivate and upgrade manually from the DSM console. Otherwise, redeploy the Deep Security Service in the NSX Manager Service Deployments page.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1122093
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.