Compliant Node is Blocked
=========================

Symptom
-------

In Enforcement Policy, the node is assigned Perm-all authority, but its network communication is blocked. 
In the Web Console, the policy appears correctly applied to the node, but the policy is not actually applied. 

Cause
-----

When a policy assigned to a node changes, the Policy Server instructs the Network
Sensor to change the policy status of the node. In some cases the Network Sensor may not
receive or act upon this input.

Resolution
----------

Check Connectivity
''''''''''''''''''

 - Verify communication path between Policy Server and Network Sensor on port 443.
   Ensure necessary exceptions on firewalls or other appliances. 
 - Through SSH on the Policy Server and Network Sensor, inspect traffic using the command: ``tcpdump -i eth0 host [Policy server or network sensor IP]``
   (If accessing Policy Server console, use Network Sensor IP for tcpdump host IP , and vice-versa)

Checking Network Sensor Policy
''''''''''''''''''''''''''''''

You can view which Enforcement Policy the network sensor is applying to a node through the Command Line Interface.

- Enter the terminal for the Network Sensor and use the command ``show nodeinfo filter [Node IP Address]``

 - Check if "noderole" is properly assigned to the node. 

Check Policy Server and Network Sensor Logs
'''''''''''''''''''''''''''''''''''''''''''

The Policy Server houses its internal logs in a file called **centerd**, while the Network Sensor uses a file called
**sensord**. These files can be monitored to see if the node role have seen changed. 

- Follow the below steps, as shown in the code box.
 
 - Log in to the Policy Server or Network sensor console directly or by SSH. 
 - Enter Configuration mode. 
 - Enter shell mode.
 - Use the ``tail -f`` command to display the most recent contents of the error log file in real time.
 - Attempt to make a policy change to a node through the Web Console. 
 - Check for error logs to appear in the console.

.. code-block:: bash

 genian> en

 genian# @shell

**On the Policy Server:**

.. code-block:: bash

 Genians$ tail -f /disk/data/logs/centerd

Example node role logs from centerd: 

.. code-block:: bash

 Jul 17 16:06:26 Genians centerd[5788]: DBG|rolemgr.cpp|1720| 8015| Role Assign Node=10.10.10.245 MAC=08:00:27:28:C9:1E NLVALID=1 StartBy=Changing IPAM Policy QuickCheck=1491340468 Join=0

 Jul 17 16:06:26 Genians centerd[5788]: DBG|rolemgr.cpp|1500| 8015| Role Assign Node. ADDR=10.10.10.245 MAC=08:00:27:28:C9:1E NLVALID=1 StartBy=IPAM compliance status changed.

**On the Network Sensor:**

.. code-block:: bash

 Genians$ tail -f /disk/data/logs/sensord

Example node role logs from sensord: 

.. code-block:: bash

 Jul 17 16:15:22 Genians sensord[6340]: DBG|eventframe.|1067| 8068| RECV Event NOTIFY     SRC=10.10.10.4 DST=10.10.10.4 SEQ=6406 ID=NODEROLECHANGED(19) FLAGS=0 KERN=0

 Jul 17 16:15:22 Genians sensord[6340]: DBG|eventframe.|1067|17655| SEND Event NOTIFY ACK SRC=127.0.0.1 DST=10.10.10.4 SEQ=6406 ID=NODEROLECHANGED(19) FLAGS=1 KERN=1