Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Unable to manage IPS/TPS device from my SMS

    • Updated:
    • 2 Dec 2021
    • Product/Version:
    • TippingPoint IPS N-series
    • TippingPoint IPS NX-series
    • TippingPoint SMS
    • TippingPoint TPS
    • TippingPoint Virtual SMS
    • TippingPoint Virtual TPS
    • Platform:
Summary
This article provides troubleshooting instructions for when the Security Management System (SMS) is unable to manage an Intrusion Prevention System (IPS) or and Threat Protection System (TPS) device
Details
Public
On the IPS/TPS device via CLI;
 
  1. Ensure that the device is not already managed by another SMS. "show sms"
  2. Ensure that the SMS management setting is not set for a specific SMS "show config sms". If you need to clear this setting, run the "conf t sms no must-be-ip" command.
  3. Ensure that the command "host ip-filter" is not blocking your IP address. To view the configuration, run the command "show config host". The "show host" command will show the last filtered IP by "host ip-filter" rules. Modify with the command "conf t host ip-filter."
  4. Check the system time on the device, "sh clock", "sh con clock", "sh sntp", "sh con sntp", "sh ntp", and "sh con ntp". The system time should be the same (within a minute or two) of the SMS. The best practice is to point the deice to the SMS for time sync.
  5. Verify SNMP settings on IPS.
    1. "sh snmp"
    2. "sh con snmp"
    3. "debug show ini -k user [SMS]"
Network Configuration:
 
  1. Verify what network ports (TCP/UDP) are open between the SMS and the IPS/TPS device(s). For additional information read the following article. https://success.trendmicro.com/solution/TP000085738
  2. If the Ping command is supported, ping between the device(s) and the SMS in both directions to ensure proper network routing.
  3. Confirm the logical network topology and design for the management network relative to the IPS device(s) and the SMS appliance(s).
  4. Ensure that both switch port and IPS management interfaces are negotiated at Full Duplex. ("show int mgmt" for IPS)
  5. Verify the MTU size between the SMS and the IPS is no less than 1500 (However, over some WAN(s), the MTU may need to be lowered on the SMS for Legacy IPS.)
  6. Verify any network tunneling and what type(s) are implemented between the IPS device management interface and the SMS management interface. (This can impact MTU.)
    1. For SMS, "ping -M do -s 1472 <Device IPv4>" (With the default 28 bits of ICMP header, these packets should be MTU 1500.)
    2. For IPS/TPS, "ping <SMS IPv4>"
  7. Verify the network interface and MTU settings on the SMS. (This step can be skipped if #11 was successful without any fragmented packets.)
    1. "get net"
    2. "ifconfig eth0 mtu" or "get net.mtu"
    Important: If the MTU on the SMS is lower than 1500, contact the TAC for instructions.
From the SMS
 
  1. Verify synchronized time and time zone settings between the SMS and the device(s) in question. "get time", "get ntp"
  2. Verify if the SMS SSL certificate may have been recently updated.
  3. Test SNMP from the SMS for the device in question.
    1. snmpwalk -v 2c -c tinapc <Device IPv4>
    2. get device.debug-ips-snmp?<IPS IPv4 Address>
    3. get device.debug-ips-soap?IP_address_of_IPS
Errors reported on the SMS?
 
  1. Possible, Example Error #1: An error has occurred: Security zone for port 1 does not exist.
  2. Possible, Example Error #2: An error has occurred: Failed to get ips security zones: <device's mgmt. IP address> socket timed out: Read timed out
Other Troubleshooting steps (working with TAC is highly recommended):
 
  1. Packet capture / tcpdump from SMS while managing the IPS. "tcpdump -i eth0 -s 0 host IP_address_of_IPS -w /mgmt/client/tmp/manage-device.pcap"
    1. Note: SMS service mode is required in order to perform network captures using TCPDump. (TAC required)
    2. Note: Network traffic capture file may be either downloaded from SMS via HTTPS or from the SMS GUI under "Admin > Reports and Archives".
  2. If necessary, perform IPS Filter Reset on IPS.
    1. Note: Ensure that the IPS device is not busy before this activity by issuing the following CLI command: "debug busy-wait"
    2. Note: It is recommended to place the device into manual Layer-2 Fallback (L2FB) before performing a filter reset; otherwise, if the device is busy, then performing a filter reset without first enabling manual L2FB may result in a device crash.
    3. Note: It is recommended to collect the entire output of the "show config" CLI command in order to capture the virtual segment configuration before performing the filter reset.
    4. Note: An organizational maintenance change request is recommended before performing this activity.
  3. Reboot the IPS device.
    1. Note: An organizational maintenance change request is recommended before performing this activity. (Maybe the same as the previous step.)
    2. Note: If a reboot has already been performed, then perform a full reboot to re-initialize the hardware.
  4. If necessary, perform a factory reset on the IPS via command line, "debug factory-reset".
    1. Note: An organizational maintenance change request is recommended before performing this activity. (Maybe the same as the previous step.)
HELPFUL COMMANDS:
 

SMS

  • get sw
  • snmpwalk -v 2c -c tinapc IP_address_of_IPS #(version 2c; community string 'tinapc')
  • get device.debug-ips-snmp?IP_address_of_IPS
  • get device.debug-ips-soap?IP_address_of_IPS
  • tcpdump -i eth0 -s 0 host IP_address_of_IPS -w /mgmt/client/tmp/manage-device.pcap #(file can be downloaded from SMS via HTTPS)
  • ping -M do -s 1472 IP_address_of_IPS

IPS

  • show version
  • debug show ini -k user [SMS] #(shows IPS community string and SNMP version)

Windows

  • ping -f -l 1500 IP_address_of_IPS

 

Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
TP000289679
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.