Compliant Node is Blocked

Symptom

In Enforcement Policy, the node is assigned Perm-all authority, but its network communication is blocked. In the Web Console, the policy appears correctly applied to the node, but the policy is not actually applied.

Cause

When a policy assigned to a node changes, the Policy Server instructs the Network Sensor to change the policy status of the node. In some cases the Network Sensor may not receive or act upon this input.

Resolution

Check Connectivity

  • Verify communication path between Policy Server and Network Sensor on port 443. Ensure necessary exceptions on firewalls or other appliances.
  • Through SSH on the Policy Server and Network Sensor, inspect traffic using the command: tcpdump -i eth0 host [Policy server or network sensor IP] (If accessing Policy Server console, use Network Sensor IP for tcpdump host IP , and vice-versa)

Checking Network Sensor Policy

You can view which Enforcement Policy the network sensor is applying to a node through the Command Line Interface.

  • Enter the terminal for the Network Sensor and use the command show nodeinfo filter [Node IP Address]
  • Check if "noderole" is properly assigned to the node.

Check Policy Server and Network Sensor Logs

The Policy Server houses its internal logs in a file called centerd, while the Network Sensor uses a file called sensord. These files can be monitored to see if the node role have seen changed.

  • Follow the below steps, as shown in the code box.
  • Log in to the Policy Server or Network sensor console directly or by SSH.
  • Enter Configuration mode.
  • Enter shell mode.
  • Use the tail -f command to display the most recent contents of the error log file in real time.
  • Attempt to make a policy change to a node through the Web Console.
  • Check for error logs to appear in the console.
genian> en

genian# @shell

On the Policy Server:

Genians$ tail -f /disk/data/logs/centerd

Example node role logs from centerd:

Jul 17 16:06:26 Genians centerd[5788]: DBG|rolemgr.cpp|1720| 8015| Role Assign Node=10.10.10.245 MAC=08:00:27:28:C9:1E NLVALID=1 StartBy=Changing IPAM Policy QuickCheck=1491340468 Join=0

Jul 17 16:06:26 Genians centerd[5788]: DBG|rolemgr.cpp|1500| 8015| Role Assign Node. ADDR=10.10.10.245 MAC=08:00:27:28:C9:1E NLVALID=1 StartBy=IPAM compliance status changed.

On the Network Sensor:

Genians$ tail -f /disk/data/logs/sensord

Example node role logs from sensord:

Jul 17 16:15:22 Genians sensord[6340]: DBG|eventframe.|1067| 8068| RECV Event NOTIFY     SRC=10.10.10.4 DST=10.10.10.4 SEQ=6406 ID=NODEROLECHANGED(19) FLAGS=0 KERN=0

Jul 17 16:15:22 Genians sensord[6340]: DBG|eventframe.|1067|17655| SEND Event NOTIFY ACK SRC=127.0.0.1 DST=10.10.10.4 SEQ=6406 ID=NODEROLECHANGED(19) FLAGS=1 KERN=1