Network Sensor is displayed as Failsafe

Symptom

The Network Sensor is displayed as Failsafe in the Node management or Sensor management.

Cause

The Network Sensor periodically sends a UDP keepalive packet to the Policy Server, which will reply in the same session with an acknowledgement. If there is a Policy update, the Policy Server will notify the Sensor in the acknowledgement.

If the Sensor is made aware of new policy information, it will attempt to start a TCP session with the Policy server over HTTPS on port 443. If this TCP session fails to initiate 5 times, the Sensor status will display as Failsafe.

Resolution

Check Connectivity

  • Verify communication path between policy server and network sensor on port 443. Ensure necessary exceptions on firewalls or other appliances.
  • Through SSH on the Policy Server and Network Sensor, inspect traffic from the other component using the command: tcpdump -i eth0 host [source IP]

Check Network Sensor Interface Status

  • Through SSH on the Network Sensor, enter the command: show interface eth[#]
  • Default interface is eth0.

Check Policy Server / Network Sensor Debug

Using SSH on the Policy Server and Network Sensor follow the steps below:

genian> en

genian# @shell

Genians$ Cat /disk/data/logs/system/centerd | grep ” ERRMSG=SOAP” > network_err

Genians$ Cat ./network_err | grep [Policy Server or Network Sensor IP Address] 443