McAfee Network Security Platform 9.1

Transcription

1 Revision G McAfee Network Security Platform 9.1 (Troubleshooting Guide)

2 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Network Security Platform 9.1

3 Contents Preface 7 About this guide Audience Conventions Find product documentation Troubleshooting Network Security Platform 9 Before you start troubleshooting Simplifying troubleshooting Issues and status checks for the Sensor Health check of a Sensor Failover status check of a Sensor Signature or software update status Download or upload status Check the traffic status of a Sensor Conditions requiring a Sensor reboot Sensor does not boot Sensor stays in bad health Debugging critical Sensor issues Sensor response if its throughput is exceeded Sensor latency monitor management Management of different types of traffic Sensor failover issues XC cable connection issues for M8000 Sensors External fail-open kit issues in connecting to the monitoring port Fail-open kit related issues Debugging issues with Connection Limiting policies Issues with Quarantine Issues and status checks for the Manager The Manager connectivity to the database MySQL issues Sensor not displayed in the resource tree The Manager fails to start The Manager interface does not work after JRE update Message on loading the Manager does not disappear Unable to log on to the Manager after typing credentials Sections of the interface that do not load properly Login button does not work Automatic Windows update fails in the Manager Issues and status checks for the Sensor and Manager in combination Difficulties connecting Sensor and Manager Loss of connectivity between the Sensor and Manager DoS troubleshooting Issues and status checks for the Sensor and other devices in combination Connectivity issues between the Sensor and other network devices McAfee Network Security Platform 9.1 3

4 Contents Issues and status checks for 40 Gigabit Active Fail-Open Bypass Kit Unable to login to the system due to credential related issue Active fail-open kit does not work after login Packets getting dropped or network latency issues Active fail-open kit module is stuck in Bypass Mode ALM LED is stuck on RED Additional troubleshooting tips Integration Scenarios Global Threat Intelligence - API Overload epo - Connection failure Vulnerability Manager - Connectivity issues Vulnerability Manager - Certificate Sync and FC Agent issues Logon Collector - Integration issues Performance issues 63 Sniffer trace Data link errors Half-duplex setting Full-duplex setting Determine false positives 65 Reduce false positives Tune your policies False positives and noise Determine a false positive versus noise System Log Files 69 5 System fault messages 75 Manager faults Manager critical faults Manager error faults Manager warning faults Manager informational faults Sensor faults Sensor critical faults Sensor error faults Sensor warning faults Sensor informational faults NTBA faults NTBA critical faults NTBA error faults NTBA warning faults NTBA informational faults Error messages 133 Error messages for RADIUS servers Error messages for LDAP server Troubleshooting scenarios 135 Network outage due to unresolved ARP traffic Delay in alerts between the Sensor and Manager Sensor-Manager Connectivity Issues Wrong country name in IPS alerts Wrong country name in ACL alerts McAfee Network Security Platform 9.1

5 Contents 8 Using the InfoCollector tool 147 Introduction How to run the InfoCollector tool Using InfoCollector tool Automatically restarting a failed Manager with Manager Watchdog 151 Introduction How the Manager Watchdog works Install the Manager Watchdog Start the Manager Watchdog Use the Manager Watchdog with Manager in an MDR configuration Track the Manager Watchdog activities Utilization of the McAfee KnowledgeBase 155 Index 157 McAfee Network Security Platform 9.1 5

6 Contents 6 McAfee Network Security Platform 9.1

7 Preface This guide provides the information you need to configure, use, and maintain your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who use the computer where the software is running and can access some or all of its features. Conventions This guide uses these typographical conventions and icons. Italic Bold Monospace Narrow Bold Title of a book, chapter, or topic; a new term; emphasis Text that is emphasized Commands and other text that the user types; a code sample; a displayed message Words from the product interface like options, menus, buttons, and dialog boxes Hypertext blue A link to a topic or to an external website Note: Extra information to emphasize a point, remind the reader of something, or provide an alternative method Tip: Best practice information Caution: Important advice to protect your computer system, software installation, network, business, or data Warning: advice to prevent bodily harm when using a hardware product McAfee Network Security Platform 9.1 7

8 Preface Find product documentation Find product documentation On the ServicePortal, you can find information about a released product, including product documentation, technical articles, and more. Task 1 Go to the ServicePortal at and click the Knowledge Center tab. 2 In the Knowledge Base pane under Content Source, click Product Documentation. 3 Select a product and version, then click Search to display a list of documents. 8 McAfee Network Security Platform 9.1

9 1 1 Troubleshooting Network Security Platform This section lists some troubleshooting tips for McAfee Network Security Platform. Contents Before you start troubleshooting Simplifying troubleshooting Issues and status checks for the Sensor Issues and status checks for the Manager Issues and status checks for the Sensor and Manager in combination Issues and status checks for the Sensor and other devices in combination Issues and status checks for 40 Gigabit Active Fail-Open Bypass Kit Integration Scenarios Before you start troubleshooting Before you get too deep into troubleshooting techniques, it is a good practice to consider the following questions: Were there physical changes to your network that occurred recently? If another device is placed in the Sensor's position, does that device receive traffic? If the Sensor is in L2 mode, are your network's services still affected? Are you using approved McAfee GBICs or SFPs or XFPs with your Sensor? (For a list of approved hardware, see McAfee KnowledgeBase article KB56364 (Go to and click Search the KnowledgeBase).) McAfee Network Security Platform 9.1 9

10 1 Troubleshooting Network Security Platform Simplifying troubleshooting Simplifying troubleshooting When an in-line device experiences problems, most people's instinct is to physically pull it out of the path; to disconnect the cables and let traffic flow unimpeded while the device can be examined elsewhere. McAfee recommends you first try the following techniques to troubleshoot a McAfee Network Security Sensor (Sensor) issue: All Sensors have a Layer2 Passthru feature. If you feel your Sensor is causing network disruption, before you remove it from the network, issue the following command: layer2 mode assert This pushes the Sensor into Layer2 Passthru (L2) mode, causing traffic to flow through the Sensor while bypassing the detection engine. Check to see whether your services are still affected; if they are, then you have eliminated certain Sensor hardware issues; the problem could instead be a network issue or a configuration issue. (The layer2 mode deassert command pushes the Sensor back to detection mode). McAfee recommends that you configure Layer2 Passthru Mode on each Sensor. This enables you to set a threshold on the Sensor that pushes the Sensor into L2 bypass mode if the Sensor experiences a specified number of errors within a specified time frame. Traffic then continues to flow directly through the Sensor without passing to the detection engine. Connect a fail-open kit, which consists of a bypass switch and a controller, to any GE monitoring port pairs on the Sensor. If a kit is attached to the Sensor, disabling the Sensor ports forces traffic to flow through the bypass switch, effectively pulling the Sensor For FE monitoring ports, there is no need for the external kit. Sensors with FE ports contain an internal tap; disabling the ports will send traffic through the internal tap, providing fail-open functionality. Note that the Sensor will need to reboot to move out of L2 mode only if the Sensor entered L2 mode because of internal errors. (It does not need a reboot if the layer2 mode assert command was used to put the Sensor into L2 mode). A Sensor reboot breaks the link connecting the devices on either side of the Sensor and requires the renegotiation of the network link between the two devices surrounding the Sensor. Depending on the network equipment, this disruption should range from a couple of seconds to more than a minute with certain vendors' devices. A very brief link disruption might occur while the links are renegotiated to place the Sensor back in in-line mode. Issues and status checks for the Sensor This section describes all issues and status checks specific to the Sensor. Contents Health check of a Sensor Failover status check of a Sensor Signature or software update status Download or upload status Check the traffic status of a Sensor Conditions requiring a Sensor reboot Sensor does not boot Sensor stays in bad health Debugging critical Sensor issues Sensor response if its throughput is exceeded Sensor latency monitor management Management of different types of traffic 10 McAfee Network Security Platform 9.1

11 Troubleshooting Network Security Platform Issues and status checks for the Sensor 1 Sensor failover issues XC cable connection issues for M8000 Sensors External fail-open kit issues in connecting to the monitoring port Fail-open kit related issues Debugging issues with Connection Limiting policies Issues with Quarantine Health check of a Sensor To see if your Sensor is functioning correctly, do one of the following: On the Sensor: At the command prompt, type status. This displays system status (such as Operational Status, system initialization, signature version, trust, channel status, alert counts, and so on). Sensor should be initialized and in good health. At the command prompt, type show. This displays configuration information (such as Sensor image version, type, name, Manager and Sensor IP addresses, and so on). On the Manager: In the Manager Home page, view the System Health section. Manager status should be UP, and Sensor status should be ACTIVE. If you see system faults indicating that the Manager is down, see System Fault Messages to interpret the fault and, if necessary, take action to clear the fault. Pinging a Sensor The Sensor Management port responds only to 20 pings per second. This limited rate prevents the Sensor from being susceptible to a ping flood. To ping a Sensor Management port from multiple hosts, increase the time interval between pings. Failover status check of a Sensor To ensure that two Sensors comprising a failover pair are communicating via their interconnection cable, go to each Sensor's CLI and type show failover-status. Failover should display as enabled (YES), and the peer Sensor should display as UP. Cable failover through a network device Do not connect the heartbeat cable through an external network device. To keep overhead low and throughput high, the Sensors do not include layer 2 or 3 headers on the packets they pass over the heartbeat connection, and they pass data larger than the standard Ethernet maximum frame size (1518 bytes). If you attempt to place a network device, such as a switch or router, between the heartbeat ports, the heartbeat connection will fail. Signature or software update status To see if your Sensor successfully received a signature update or software upgrade, you can use the status command as shown in the following procedure, or the downloadstatus command, described later in this chapter. To use the status command: McAfee Network Security Platform

12 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor Task 1 On the Sensor, type status at the command prompt before updating the signature set on the Sensor. Note the signature version. 2 Update the signature set on the Sensor using the Manager screens. 3 On the Sensor, again type status at the command prompt after the update from Manager is complete. Verify that the signature version number has incremented. The new signature version should match with the signature set version that has been updated from the Manager and applied to the Sensor. Download or upload status To see the progress of an upload or download, use the downloadstatus command. The downloadstatus command displays the status of various download/upload operations: signature, software image, and DoS profile downloads (from Manager to Sensor) and DoS profile and debug trace uploads (from Sensor to Manager). It also lists the number of times you have performed the operation, status of your previous attempt to perform the operation (including if the operation failed the cause of failure), and the time the command was executed. Do the following: On the Sensor, type downloadstatus at the command prompt. Check the traffic status of a Sensor Sensor Statistics can be viewed in the Traffic Statistics page. Once on the Traffic Statistics page, you can choose from the following tabs that display different type of Sensor statistics. Traffic Received/Sent, Flows, Dropped Packets, Advanced Malware Analysis and Advanced Callback Detection. Task 1 Click Devices <Device Name> Troubleshooting Traffic Statistics. 2 Click on a tab from the available tabs to obtain the required Sensor statistics. 3 Click Save as CSV to save and view the selected report in CSV format. 4 Follow a similar procedure and select other tabs for Sensor Performance to view the relevant Sensor Statistics. List of tabs for Sensor Statistics Traffic Received/Sent: You can view the statistics of the total number of packets received (Rx) and transmitted (Tx) for a given device per port. You can select the port from the Port drop-down list for which you want to view the sent/received data. The All Ports option is selected by default and displays information for all the ports. When you hover the mouse over a port in the Port drop-down list, a tip displays the status of the port as Link Up, Link Down, or Disabled. Flows: You can view the statistical TCP and UDP flow data processed by a device. Checking your flow rates can help you determine if your device is processing traffic normally. This also provides you with a view of statistics such as the available flows supported, as well as the number of active TCP and UDP flows. Dropped Packets: Using this tab, you can view the reason and the packet drop rate on a port for a device. The All Ports option is selected by default and displays information for all the ports. Advanced Malware Analysis: You can view the statistics of the malware detected for a given device. The By Malware Engine option displays the malware detected data based on the malware engines configured for the device. The By File type option displays data based on the file type analyzed 12 McAfee Network Security Platform 9.1

13 Troubleshooting Network Security Platform Issues and status checks for the Sensor 1 Advanced Callback Detection: You can view the count for number of alerts generated for various bot activities and other suspicious callback activity. This provides information on the amount of suspicious callback activity, and also communication attempts to the C&C servers. SSL Decryption statistics: Using this tab, you can view the following statistics for SSL decryption: Sensor Statistics: This tab displays the count for the following for SSL traffic: Recycled SSL Flows - Total number of SSL flows that have not been recently used and have been freed by the Sensor. SSL Flow Allocation Errors - Total number of SSL flows the Sensor could not allocate due to resource unavailability. Skipped SSL Flows Due to Flow Allocation Errors - The Sensor could not allocate new SSL flows due to resource unavailability. This indicates total SSL flows that were skipped as the Sensor could not process them. Packets Received from Unknown SSL Flows - Total number of SSL packets received that did not have a corresponding SSL flow. SSL Flows Using Unsupported Diffie-Hellman Cipher Suite - Diffie Hellman cipher suite to encrypt the SSL flow. The Sensor will not be able to detect attacks in this SSL connection. SSL Flows Using Unsupported Export Cipher - Total flows that used SSLv3/TLS export cipher was negotiated, which the Sensor cannot decrypt due to the use of unsupported RSA cipher suite. SSL Flows Using Unsupported or Unknown Cipher - Total flows where unsupported or unknown cipher was used. Internal Web Server Certificate Matches: This tab displays the count for unmatched and matched certificates for inbound SSL traffic. Conditions requiring a Sensor reboot The following situations either cause or require a Sensor reboot. You have two options for rebooting the Sensor. You can reboot the Sensor from the Manager interface, or you can issue the reboot CLI command. A Sensor reboot can take up to five minutes. Issuing the following CLI commands causes an automatic reboot of the Sensor: resetconfig deletesignatures factorydefaults For more information on the Sensor CLI commands, see McAfee Network Security Platform CLI Guide. Changing the Sensor's management port IP address (IPv4 or IPv6) requires a manual reboot of the Sensor, before the change takes into effect. Certain internal software errors can cause the Sensor to reboot itself. See a description of Sensor fault messages later in this chapter. For more information on Operational Status Viewer, see McAfee Network Security Platform Manager Administration Guide. Enabling/disabling SSL requires a Sensor reboot. McAfee Network Security Platform

14 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor Enabling/disabling parsing and detection of attacks in IPv6 traffic passing through the Sensor monitoring port requires a manual reboot of the Sensor. In the Manager user interface, you can enable/disable parsing and detection of attacks in IPv6 traffic with the Scan IPv6 traffic for attacks option from the IP Settings tab (Devices <Device Name> Setup Advanced IP Settings). For more information, see Configuring IP Settings for IPv4 and IPv6 traffic, McAfee Network Security Platform IPS Administration Guide. Upgrading Sensor software requires a manual reboot of the Sensor. Reboot a Sensor using the Manager The Reboot Sensor action restarts a Sensor. You perform this action in the Manager interface. To reboot a Sensor, do the following: Task 1 Select Devices <Admin_Domain_Name> Devices <Device_Name> Maintenance Reboot. 2 Click Reboot. Reboot a Sensor using the reboot command The reboot command restarts a Sensor. You perform this action in the Sensor CLI: Task 1 At the prompt, type: reboot 2 Confirm reboot. Sensor does not boot If you cannot get the Sensor to boot, try the following: Check to ensure that the Sensor is powered on. Check the LEDs on the front of the Sensor. Check the front panel LEDs to ensure that the Sensor temperature is normal. For more information on Sensor LEDs, see the McAfee Network Security Platform Sensor Product Guide for your Sensor model. If you receive an error message in the CLI: "OS not found," you might have a corrupted internal flash. If you see this error, contact Technical Support to obtain help in recovering the Sensor. Sensor stays in bad health In certain instances, the Sensor stays in bad or uninitialized health state indefinitely. The bad health of the Sensor could be due to signature file download failure, or error while starting the Sensor. You can perform the following high-level troubleshooting steps to trace the error: 1 Execute the following commands and check the output for any errors: show status show sensor health show startup stats 2 Check if the hardware is connected correctly. 14 McAfee Network Security Platform 9.1

15 Troubleshooting Network Security Platform Issues and status checks for the Sensor 1 3 Check the InfoCollector tool for logs and the configuration backup. 4 Check if the issue is due to signature file download failure. If it is due to the aforementioned error, contact McAfee Support for further assistance. 5 Execute show startup stats debug CLI command and check the output for any errors. IntruDbg#> show startup stats Controller not ready to send INIT_ACKs to datapaths and dos. initial READY msg : not yet received from datapaths and dos dos has sent INIT_DONE. datapath0 has not sent INIT_DONE. datapath1 has sent INIT_DONE. datapath2 has not sent INIT_DONE. datapath3 has not sent INIT_DONE. datapath4 has sent INIT_DONE. datapath5 has sent INIT_DONE. datapath6 has sent INIT_DONE. datapath7 has sent INIT_DONE. dos has not sent READY. datapath0 has not sent READY. datapath1 has not sent READY. sb1cpu0 has not sent READY. sb1cpu1 has not sent READY. sb2cpu0 has not sent READY. sb2cpu1 has not sent READY. sb3cpu0 has not sent READY. sb3cpu1 has not sent READY. 6 Try to power cycle or netboot or reload the Sensor image. 7 Check if the issue is due to corrupt flash. Execute the flashcheck debug CLI command. Confirm that the output does not have any errors. Checking Flash may take more than 15 minutes and Sensor will go into Layer2 during command execution. Please enter Y to confirm: Checking Flash... Flash check successful. No errors in Flash If the problem still persists, contact McAfee Support for further assistance. McAfee Network Security Platform

16 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor Debugging critical Sensor issues CLI commands in the debug mode are used to improve supportability of the Sensor for better debugging of critical issues. For more information on the CLI debugging commands, see the McAfee Network Security Platform CLI Guide. Sensor response if its throughput is exceeded Each Sensor model has a limited throughput. For example, the Network Security Platform M-2950 Sensor is rated at 1Gbps performance. With the Gigabit interfaces it is theoretically possible to cross the limit. What happens in this situation? Will it throttle the throughput to 1Gbps or will you just lose the IPS functionality for everything more than 1Gbps? The answer is that the Sensor will drop packets irrespective of the TCP flow violation settings. We also have the latency monitor feature where the Sensor can inline-forward traffic without IPS inspection if it crosses the limit. There could also be false negatives and the traffic might experience high latency. It is very important that you stay within the operating parameters of the device you deploy. If you are actually running at gigabit speeds, you should probably be running an M-3050/M-4050/M-6050/M-8000/NS9100/NS9200 and NS9300 Sensor, which all have a much higher throughput. Sensor latency monitor management All networks working from layer 2 through layer 7 experience some amount of latency. Latency monitor provides a means to reduce latency introduced by the Sensor, when the amount of traffic seen on the network substantially exceeds the Sensor capacity. Sensor latency can be due to various factors such as the policies configured, protocols, content, applications, type of traffic flowing through the Sensor and so on. The Inspection Options Policies configured also adds to the latency. The following features consumes Sensor resources which results in latency: HTTP Response Traffic Scanning Advanced Malware Policies Traffic Inspection SSL decryption Callback Activity The latency can be reduced or varied, if Sensors detect the latency condition. Whenever there is a latency in the network, the Sensor performs the following functions: Raises an alert in the Manager whenever there is a latency in processing the packets Mitigates latency by switching to layer 2 mode Latency monitor is available in all M-series and NS-series Sensor models. Latency monitor feature configured monitors the time consumed for processing the packets. If the number of packets exceeds the threshold for which processing time is high, then it is considered as a condition of latency. You can configure latency monitor as alert-only mode or layer 2 mode. When latency is detected, based on the configuration, an alert is raised in the Manager for the alert-only mode. If it is configured for mitigation, the latency is mitigated before an alert is raised in the Manager. Latency monitor feature is disabled by default. The feature has to be enabled only when there is latency in the network introduced by the Sensor. If the feature is kept enabled, then there is a possibility of some attacks not being detected by the Sensor. 16 McAfee Network Security Platform 9.1

17 Troubleshooting Network Security Platform Issues and status checks for the Sensor 1 To mitigate latency, the Sensor switches to layer 2 mode based on the sensitivity level configured. This takes less than a second after latency is detected. After latency is mitigated, the Sensor switches back to inline mode, depending on the time configured using the CLI command latency-monitor restore-inline. For example, if the latency-monitor restore-inline command is configured for 10 minutes, then the Sensor tries to switch back to online mode (from layer 2) after 10 minutes. If the Sensor is not configured to return to inline mode automatically, then it has to be manually restored to inline mode from layer 2 mode using the CLI command latency-monitor restore-inline. Network Security Platform provides latency monitoring at three different sensitivity levels. The sensitivity levels configured in latency monitor checks for latency in two different stages: Stage 1 High sensitivity Checks for latency in every incoming packet before processing. Medium sensitivity Checks for latency in every alternate packet before processing. Low sensitivity Does not check for latency. In the above scenarios, if latency is not detected, the packets are forwarded for further processing to stage 2. Stage 2 Once latency is detected, the packets are processed through multiple phases taking optimized measures internally to handle high latency. If latency is mitigated by this process, then the Sensor returns to normal processing. If latency is not mitigated, then the Sensor switches to layer 2 mode if configured. The time consumed for processing each packet is calculated when the packet is being processed by the Sensor. The calculations are based on the following parameters: Number of packets for which the latency is high Duration for which this latency condition persists This duration for which the latency condition is monitored depends on the configured sensitivity level. Latency is detected based on the following sensitivity level thresholds configured: High latency If latency is experienced (high) for 1/6th of a second for every 50 packets Medium latency If latency is experienced for 2/6th of a second for every 100 packets Low latency If latency is experienced (persists) for 3/6th of a second for every 150 packets When latency is detected, the Sensor switches to latency management mode trying to mitigate latency by optimizing processes. During this mode, the situation is continuously monitored to check if the latency is mitigated. Optimization of processes may include turning off the attack detection and packets being forwarded without attack detection. The Sensor switches to layer 2 mode, if enabled, when latency is not mitigated even after running the optimization processes. The following CLI commands for Oversubscription are deprecated: set oversubscription enable set oversubscription disable show oversubscription status McAfee recommends that you use latency monitoring instead. McAfee Network Security Platform

18 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor Enable latency monitor You can use the following CLI commands to enable, set sensitivity level, and check the status of latency monitor feature: latency-monitor enable action Enables latency monitoring in the Sensor and also specifies the action to be performed if high latency is observed in the Sensor. The following are the actions that can be specified in this command: alert-only (generates an alert when a high latency is observed in the Sensor) put-in-layer2 (generates an alert and also forwards the traffic to layer 2). Alerts that are generated can be seen in the System faults page in the Manager. Syntax: latency-monitor enable action <alert-only put-in-layer2> This command should be executed with a parameter value, else the command is treated as invalid. Example: If layer2-forward is enabled, it is necessary to set the layer 2 mode to be on. Otherwise the layer2-forward action does not get executed. latency-monitor enable action alert-only latency-monitor sensitivity-level Configures the sensitivity level for latency management. Syntax: latency-monitor sensitivity-level high latency-monitor sensitivity-level medium latency-monitor sensitivity-level low latency-monitor restore-inline When a high latency is observed on the Sensor and the latency monitor is configured, the Sensor remains in layer 2 until a layer2 mode deassert is invoked or the Sensor reboots. This command allows the Sensor to come out of layer 2 mode without layer 2 deassert. The Sensor restores to inline from layer 2 if the following conditions are met: The latency monitor has put the Sensor in layer 2 mode. The Sensor is in good health. If the Sensor is in bad health, a deassert cannot be performed and the Sensor reboots. A substantial amount of time has lapsed, as configured using this command, when the Sensor went into layer 2 due to latency. The default time to trigger an automatic layer 2 deassert is 10 minutes. If the latency continues to exist after the Sensor is restored to inline mode, the Sensor behaves according to the current setting of the latency monitor. Syntax: latency-monitor restore-inline enable <10-60> 18 McAfee Network Security Platform 9.1

19 Troubleshooting Network Security Platform Issues and status checks for the Sensor 1 latency-monitor restore-inline disable Parameter Description <10-60> The time in minutes to trigger the restore inline from layer 2. It is counted since the time the Sensor moved into layer 2 state due to high latency. The latency-monitor status command displays the status of the latency monitor feature, and the status of the restore-inline feature of the latency monitor. latency-monitor Disables the latency monitoring feature or displays the status of latency monitoring feature. Syntax: latency-monitor <disable status> Default Value: Latency monitoring feature is disabled by default. If disabled, latency monitoring feature does not generate any alert nor forward the traffic to layer 2 when high latency is observed. If latency monitoring is enabled, the following information is displayed. latency monitoring status (enable or disable) configured action (alert-only or layer2-forward) Management of different types of traffic Non-ethernet frames are forwarded without inspection. The following are the types of special traffic: Jumbo Ethernet frames ISL frames Jumbo ethernet frames Sensors respond differently to jumbo frames based on which ports are receiving them. The following Sensor models support jumbo frame parsing of up to 9,216 bytes (9 KB) of IP payload: IPS-VM100-VSS IPS-VM600, IPS-VM100 NS9300, NS9200, NS9100, NS7350, NS7250, NS7150, NS7300, NS7200, NS7100, NS5200, and NS5100. M-8000, M-6050, M-4050, and M Gigabit Sensor ports will inline forward jumbo frames that are greater than 9KB (9216 bytes) of IP payload and up to 9724 bytes. Frames with IP payload greater than 9724 bytes will be dropped on a 1 Gigabit port. However, 10 Gigabit Sensor ports will inline forward jumbo frames greater than 9KB (9216 bytes)of IP payload and up to 16KB (16384 bytes). Frames with IP payload greater than 16KB will be dropped on a 10 Gigabit port. Jumbo frame parsing is not supported on NS3200, NS3100. ISL frames All McAfee Network Security Sensor (Sensor) models (running all Sensor software versions) pass ISL frames through the Sensor without IPS inspection. McAfee Network Security Platform

20 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor Sensor failover issues Checking the following connections and settings might resolve Sensor failover issues. The Sensor model and Sensor image version on both the peer Sensors should be the same. The Sensor license and IPv6 status should be identical on the peer Sensors. Identify the interconnect port for the selected model because the interconnect ports vary for different models. Check on the FO type setting on the Sensor. The failover creation would fail if the FO type is set on the primary Sensor. The Sensor health status should be good and normal. XC cable connection issues for M8000 Sensors XC cable connection issues can occur in the M8000 Sensors due to improper cabling of XFP interconnect ports(xc2, XC3, XC5 and XC6). Check the following connections in the M8000 Sensors while facing such issues. One end of an LC-LC fiber-optic cable should be plugged into the XC2 port of the primary Sensor and the other end of the cable to be plugged into the XC5 port of the secondary Sensor. One end of an LC-LC fiber-optic cable should be plugged into the XC3 port of the primary Sensor and the other end of the cable to be plugged into the XC6 port of the secondary Sensor. External fail-open kit issues in connecting to the monitoring port External fail-open kit issues can occur due to disconnection of network device cables and improper cabling or port configuration. By having a check on the following connections might resolve the issue. Ensure that the cables are properly connected to both the network devices and the Bypass Switch. Ensure that the transmit and receive cables are properly connected to the Bypass Switch. Fail-open kit related issues Issues related to fail-open kit at the customer's environment Applicable to Sensor models: M-series, NS-series Problem scenarios 1 Reset the password and all the parameters to factory default 2 Passive fail-open does not bypass even though the fail-open kit Sensor is down/sensor is rebooted 3 Passive fail-open does not come up and continuously flaps 4 Active fail-open does not come up and continuously flaps 5 Active fail-open to Sensor link flaps continuously 20 McAfee Network Security Platform 9.1

21 Troubleshooting Network Security Platform Issues and status checks for the Sensor 1 Data/Information Collection 1 Execute the following commands in the Sensor: show show inlinepktdropstat <port> status show sensor-load show intfport <port> (multiple times) 2 Check the following details: Active fail-open type (model) and configuration Cables and SFP type Physical connection details (network topology) Peer device port configuration 3 Trace the Sensor files. 4 Check the infocollector tool for the logs including the configuration backup. (This is optional in case the issue is required to be reproduced locally) Following are the troubleshooting steps for the various problem scenarios: Problem 1: Reset the password and all the parameters to factory default If you have forgotten the password and do not know the correct password in the login prompt, perform the following steps to reset the password and all the other parameters of the Active Fail-Open kit. 1 On the fail-open switch, press the PB0 push button for three seconds to enter the main menu seen in the display panel. 2 Do a short press on the PB0 push button to move to the next submenu in the list. Perform this step till you move to the OP submenu. 3 Push the PB1 push button with a short press to select and view the options in the OP submenu. 4 Do a short press on the PB0 push button to move to the next option in the OP submenu. Perform this step till you move to the DEFAULT option. 5 Push the PB1 push button with a short press to select the DEFAULT option. When the option DEFAULT is selected, it sets the default factory parameters. In the display panel, you can view small lines ( _ ) which indicates that default factory parameters are successfully set. As a result, the password is also reset to the default password. McAfee Network Security Platform

22 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor Problem 2: Passive fail-open does not bypass even though the fail-open kit Sensor is down/ Sensor is rebooted 1 Check if the Sensor is up and in good state. 2 In the Physical Ports page of the Manager, check the following configurations: Port is configured to Inline Fail Open - Passive Appropriate media is selected, Copper/Fiber Auto-Negotiate is selected. 3 If peer device port does not support MDIX, use an appropriate cable to bring up the link during the Sensor bypass. If it does not work, check the Passive Fail-Open Kit for any hardware issues. 4 While using Passive Fail-Open Kit, make sure to disable the STP on the peer device ports to avoid auto renegotiate. While using Passive Fail-Open Kit, each Sensor port individually negotiates with peer port initially when the Sensor is in inline mode. When the Sensor goes to bypass mode, the peer device port re-negotiates with each other. Make sure to enable Portfast on peer devices to minimize network outage. Problem 3: Passive fail-open does not come up and continuously flaps 1 Check if the Sensor is up and in good state. 2 In the Physical Ports page of the Manager, check the following configurations: Port is configured to Inline Fail Open - Passive Appropriate media is selected, Copper/Fiber Auto-Negotiate is selected. Appropriate cable is used. The cable type should be Cat5e and above for copper, and for fiber single-mode/multi-mode depending on the SFP used. 3 Check the control cable connection and the right controller port. 4 Check if the SFPs are according to McAfee's recommendations. 5 Check for bad/defective cable and SFPs. 6 Check if the peer device port is working and if the port settings are set to Auto-Negotiate. 7 Ensure local port testing (by connecting monitoring ports back to back). 8 Swap the working SFP and cables from another port pair. 9 If all the above steps fail, RMA the Sensor. Problem 4: Active fail-open does not come up and continuously flaps 1 Check if the Sensor is up and in good state. 2 Use McAfee recommended transceivers (normal SFP for 1G, SPF+ for 10G, and QSP for 10G ports). 3 Check the Active Fail-Open Kit monitoring port setting (specifically Auto-Negotiate and speed settings). It should be the same as Sensor monitoring ports and peer device. 4 Ensure local loopback port testing (by connecting monitoring ports back to back). 5 Swap the working SFP and cables from another port pair. 22 McAfee Network Security Platform 9.1

23 Troubleshooting Network Security Platform Issues and status checks for the Sensor 1 6 Check the load on the Sensor. 7 If all the above steps fail, RMA the Sensor. Steps to Configure and Debug active fail-open When configuring the Active Fail-Open Kit, in case of flapping issues, the configuration on the network peer ports must match with the one on Active Fail-Open Kit-Sensor monitoring port pair. 1 Ensure the power to the Optical Bypass Switch is on. 2 Using a DB-9 RS232 programming cable. Connect a PC that is running the HyperTerminal to the Optical Bypass Switch. 3 Launch a terminal emulation software like HyperTerminal, and set the following communication parameters: Bits per second: Flow control: None Stop bit: 1 Parity: None Data bits: 8 4 Click OK. The CLI banner and login prompt are displayed. 5 Type the default username and password. (The default username and password is McAfee and is case sensitive). 6 Once you are logged in, use the following commands in the table to configure and troubleshoot the Active Fail-Open Kit: Command Description a Set the timeout value. To set the Timeout value, do the following: Type a and press Enter. TimeOut period (1-254 sec). Type the number of seconds between each heartbeat (1-254 seconds) and press Enter. Default = 1. Retry Count (1-254). Type the number of missed heartbeats allowed before the Bypass Switch enters the On mode. Default = 3. The Retry Count must be greater than or equal to the Timeout period. b Set Switch parameters. To set speed duplex and auto-negotiation, LFD, bypass detect: 1= turn On. 0 = turn Off. Fail Mode Open/Close= 1 The LFD and Bypass detecting mode settings cannot be changed. c Set TAP mode. Type c and press Enter. Type 1 to set the tap mode On or 0 to set the tap mode Off. Default = Off. McAfee Network Security Platform

24 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor Command Description d Show configuration. Type d and press Enter. The following is displayed: LFD = On Fail Mode= Open Timeout Period= 1 Bypass State= Off Bypass Detect= Off TAP Mode= Off Retry Count= 3 e f z Show port status. Type e and press Enter. The following is displayed: Port A= Up/Down Port B= Up/Down Port 1= Up/Down Port 2= Up/Down Set Switch name. Type f and press Enter. At the prompt, type the Switch name, which can be 8 characters long. Reset to Factory Defaults. Problem 5: Active fail-open to Sensor link flaps continuously 1 Check if the Sensor is up and in a good state. 2 Use McAfee recommended transceivers (normal SFP for 1G, SPF+ for 10G, and QSP for 10G ports). 3 Check the Active Fail-Open Kit monitoring port setting (specifically Auto-Negotiate and speed settings). It should be the same as Sensor monitoring ports and peer device. 4 Check the Sensor ports (by connecting monitoring ports back to back). 5 Swap the working SFPs and cables from the other working port pair. 6 Swap the working Active Fail-Open Kit to confirm if a hardware problem exists or not. 7 Check the load on the Sensor to make sure that Sitera is dropping the HB packets from the Active Fail-Open Kit. To test if the Sitera is dropping the HB packets, contact McAfee Support for further assistance. 24 McAfee Network Security Platform 9.1

25 Troubleshooting Network Security Platform Issues and status checks for the Sensor 1 Debugging issues with Connection Limiting policies Connection Limiting policies consist of a set of rules that enable the Sensors to limit the number of connections a host can establish or a connection rate. This section provides troubleshooting steps to resolve few issues with Connection Limiting policies. Before you begin Check that the Connection Limiting policy is correctly configured. You can configure the Connection Limiting policy with the monitoring ports in SPAN, tap, or inline modes. The response actions differ for SPAN and tap modes. In these modes, the Sensor cannot block the connections or quarantine the hosts. The connections are limited based on the predefined threshold value. The threshold value is defined as connections per second or active connections. For example, if you define 1 connection per second as the threshold value, then, 10 connections are allowed per 10 seconds. So, if there are 10 connections in the first second, all other connections from the second to the tenth second are dropped. On the other hand, if you have 1 connection for each second, all the 10 connections until the tenth second are allowed. Connection Limiting rule based on Protocol applies to both IPv4 and IPv6 traffic. Connection limiting rule based on McAfee GTI applies to only IPv4 traffic. GTI does not support IPv6 traffic. The Connection Limiting alert raised is IP: Too many TCP/UDP/ICMP sessions. This alert is present in the IPS Policies. Perform these steps to configure a basic Connection Limiting policy. Task 1 Go to Policy <Admin Domain> Intrusion Prevention Policy Types Connection Limiting Policies. 2 Click New and configure the rule properties like description and visibility. 3 Click Next, in Connection Limiting Rules page, set the parameters like state, direction, and response. Figure 1-1 Connection Limiting Rule 4 Go to Policy Intrusion Prevention Policy Manager to apply the Connection Limiting policy on the Sensor interface. Make sure the IP: Too many TCP/UDP/ICMP sessions alert is enabled in the IPS policy that is applied on the Sensor interface. McAfee Network Security Platform

26 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor Troubleshooting Connection Limiting issues After Connection Limiting policies are configured, you might see issues like: No alerts are raised in the Manager Excess packets are not dropped or denied Hosts are not quarantined Connection Limiting rules can be configured with protocol types Alert only, Alert & Drop Excess Connections, Alert & Deny Excess Connections and Alert & Quarantine. Perform these steps to troubleshoot issues like alerts not raised in the Manager, excess packets not dropped or denied, or hosts not quarantined after reaching the threshold value. 1 Make sure that the Connection Limiting policy rules are configured and applied to the Sensor interface. 2 From the Sensor CLI, run the show inlinepktdropstat all CLI command and check if the Conn Limiting Pkt Drop Count is 0. This means that the configured threshold value is not reached. Only when the count reaches a threshold value, alerts are triggered in the Manager. 3 Check whether the incoming traffic rate to the Sensor meets the Connection Limiting rule's threshold value. If it does not meet the threshold value, send the corresponding traffic rate. 4 Set a lower threshold value and check the active connections or connections per second. 5 Check if there is any firewall ignore rule for the source IP address configured in the Connection Limiting rule. a Go to Policy Intrusion Prevension Policy Types Firewall Policies <Firewall Policy> Access Rules. b c Select a policy and click Edit to view the rules of that policy or double-click on the row of the policy. On the Access Rules tab, check if a source IP address's Response is set as Stateless Ignore or Ignore. 6 Check if the source IP address configured in the Connection Limiting rule is part of the Quarantine Exceptions list. Go to Devices Global IPS Device Settings Quarantine Default Port Settings to if source IP address is quarantined. Considerations for GTI connection limiting and XFF feature When you configure GTI and XFF for a connection limiting rule: The Sensor cannot perform GTI lookup on the XFF IP address. That is, the GTI-based connection limiting does not work when the XFF feature is enabled. When the XFF feature is enabled, the Sensor expects that all HTTP flows should have XFF data in the HTTP header. The Sensor supports connection limiting on XFF based on protocol-based connection limiting. Alert Detection Matrix The table briefs how alerts are detected based on the connection limiting type and XFF feature configuration. Connection limiting type XFF configuration XFF or Non XFF tag traffic sent to Sensor Proxy IP reputation XFF IP Protocol Disabled Without XFF - Yes Protocol Enabled With XFF - Yes Protocol Enabled Without XFF - No GTI Disabled Without XFF - Yes Alert detection 26 McAfee Network Security Platform 9.1

27 Troubleshooting Network Security Platform Issues and status checks for the Manager 1 Connection limiting type XFF configuration XFF or Non XFF tag traffic sent to Sensor Proxy IP reputation XFF IP GTI Enabled With XFF Low risk High risk No GTI Enabled With XFF High risk Low risk No GTI Enabled Without XFF - - No Alert detection Issues with Quarantine Network Security Platform enables you to quarantine your network hosts when required. There are two ways to quarantine hosts: Configure the Sensor to quarantine hosts automatically when they generate specific attacks. Manually quarantine specific hosts that are listed in the Attack Log page. You can manually add endpoints to quarantine from the Quarantine page. You might see these issues while quarantining: When you quarantine a host from attack log but the host is not listed in the quarantine page, but the host is stuck. Quarantine page has a host that is not deleted after the expiry time. You might also see an error when manually deleting a host from the Quarantine page. To confirm if it is a quarantine issue, put the Sensor in Layer 2 or add the host IP address to the Quarantine Exceptions list and check if the issue is resolved. If the issue is not resolved, contact McAfee Support. Issues and status checks for the Manager This section describes issues and status checks specific to the Manager. Contents The Manager connectivity to the database MySQL issues Sensor not displayed in the resource tree The Manager fails to start The Manager interface does not work after JRE update Message on loading the Manager does not disappear Unable to log on to the Manager after typing credentials Sections of the interface that do not load properly Login button does not work Automatic Windows update fails in the Manager The Manager connectivity to the database In the event that the Manager loses connectivity to the database (i.e. the database goes down) the alerts are stored in a flat file on the Manager server. When the database connectivity is restored, the alerts are stored in the database. The Manager database is full We recommend that the customer monitor the disk space on a continuous basis to prevent this from happening. McAfee Network Security Platform

28 1 Troubleshooting Network Security Platform Issues and status checks for the Manager If the Manager database or disk space is full, the Manager will unable to process any new alerts or packet logs. In addition, the Manager might not be able to process any configuration changes, including policy changes and alert acknowledgement. In fact, the Manager might stop functioning completely. To rectify this situation, please perform maintenance operations on the database, including deleting unnecessary alerts and packet logs. Furthermore, please reevaluate database capacity planning and sizing, and monitor free space proactively. The Manager is designed with various file and disk maintenance functions. You can archive alert and packetlog data and then delete the data to free up disk space. It also provides a standalone tool for creating database backups that can be archived for emergency restoration. The Manager also provides disk maintenance alerts, which send proactive system fault messages when the Manager disk space reaches a threshold of 51%. The Manager generates the disk space warning fault for disk space utilization. The severity of this fault changes with respect to the percentage of increase in the disk space utilization. The Manager database fails to start Below are some of the reasons for the Manager database failing to start. The Manager database process is already running. This can be checked by opening Windows Task Manager and looking for mysqld.exe with Memory foot print of hundreds of MB. Start the service "McAfee Network Security Manager Database" from services window. If the service has not started, check for the reason of failure in <DBInstalldir>\data\<hostname>.err file. In the command prompt, navigate to <DBInstalldir>\bin and run "mysqld - -console" manually. For a successful startup the message will be displayed as shown below: :05:04 [Note] mysqld: ready for connections. Version: ' enterprise-commercial-advanced-log' socket: '' port: 3306 MySQL Enterprise Server - Advanced Edition (Commercial) The version number and commercial license definition will vary across Manager versions. To close the successful startup session, use "CTRL-C" command. For an unsuccessful startup, the process will be abruptly shutdown mentioning the error. If unexpected database service shutdown occurs, check the <hostname>.err file for possible reason. Also, during this unexpected shutdown, mysql will create a minidump i.e. mysqld.dmp in the data directory. If required, this file can be used for further analysis. MySQL issues The common symptoms that occur if your database tables become corrupt:.myi or.myd errors reported in the ems.log file. Inability to acknowledge or delete faults in System Faults. When trying to view packet log from Attack log, you receive an error message: No Packet log available for this alert at this time If you think that your MySQL database tables have become corrupt, follow the instructions on verifying your tables, which is available in McAfee KnowledgeBase article KB (Go to and click Search the KnowledgeBase.) 28 McAfee Network Security Platform 9.1

29 Troubleshooting Network Security Platform Issues and status checks for the Manager 1 Sensor not displayed in the resource tree After adding the Sensor and establishing trust, if the Sensor is not displayed in the resource tree, perform the following steps for troubleshooting: Task 1 Capture traffic using wireshark in the Manager. 2 Check if the Manager is receiving UDP response packets from the Sensor. 3 Configure the firewall to allow UDP traffic if response packets are not coming. 4 Check if the Manager machine has multiple NIC cards. If yes, open <NSM_INSTALL_DIR>/bin/tms.bat and modify the following line to assign a relevant IP address that is also used in Sensor configuration: 5 Set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPIPaddress="" 6 Restart the Manager. You can enable detailed debugging messages by modifying <NSM_INSTALL_DIR>/config/ log4j_ism.xml file by adding and changing the following lines if it is already exists <category name="iv.core.discoveryservice"> <priority value="debug"/></category> <category name="iv.core.sensorconfiguration"> <priority value="debug"/></ category> McAfee Network Security Platform

30 1 Troubleshooting Network Security Platform Issues and status checks for the Manager The Manager fails to start Below are some of the common reasons for the Manager failing to start: The Manager Java process is already running. This can be checked by opening Windows Task Manager and looking for a java.exe with Memory foot print of hundreds of MB. Alternatively install sysinternals' Process Explorer from to locate the java process. If found, as indicated in the following image, it should be removed. Figure 1-2 Check if Manager Java process is already running 30 McAfee Network Security Platform 9.1

31 Troubleshooting Network Security Platform Issues and status checks for the Manager 1 In the command prompt, navigate to <NSMInstallaitonDirectory>/bin and run tms.bat manually. Then check for below conditions. One of the TCP ports that Manager binds to is in use. Use netstat -nab to list out all ports in use. These netstat options also identifies the executable that is binding to the port and the executable should be stopped. Figure 1-3 Check netstats McAfee Network Security Platform

32 1 Troubleshooting Network Security Platform Issues and status checks for the Manager Check whether the logged user on the server has permissions to launch McAfee Network Security Manager service. This can be found by right clicking on the service, selecting Properties and then Log On tab. So, if the logged in user doesn't have permission to run local service, then the Manager does not start. Tasks Figure 1-4 Check user permissions The server does not have enough RAM. The tms.bat file has a -Xmx<MaxHeap> setting in MB that specifies Java heap in MB that needs to be allocated to the process. If the server does not have that much RAM, then process will not start. Sometimes, especially on 32-bit machines when there are instances of heap exhaustion, when you try to increase the maximum heap setting to a larger volume assuming to be having full 2000MB available. However stack space, native libraries share memory in the same 2000MB space and java heap cannot be higher than 1170MB. So, check that -Xmx setting is not greater than 1170MB if it is a 32 bit machine. The process fails to start with a classloader exception such as ClassNotFound. This typically indicates issues with the Manager installation. A fresh installation or upgrade as appropriate should resolve the issue. Analyze memory-related issues on page 32 Analyze memory-related issues Memory-related issues occur in the Manager when the amount of the heap space allocated by the Operating System, based on JVM options (-Xms, -Xmx) specified in tms.bat, is not enough for the application to continue to behave in desired manner. Typical symptoms include: Application not being responsive CPU usage of the Java process being high. Application crashing terminating. Communication channel(s) flap between the Manager and the device channel connections being reset frequently. Application not being able to start. The following logs are required for analysis: 32 McAfee Network Security Platform 9.1

33 Troubleshooting Network Security Platform Issues and status checks for the Manager 1 Infocollector logs (mainly ems, emsmem, acqount, slowquery, DB err file). Threads stack trace and CPU usage using stack trace and collect live objects in heap memory space using the heap dump tool. These logs are required before restarting the application, which is usually done to restore the application, unless it is recurring issue; heap dump tool or stack trace doesn't require a restart as in most cases memory leak might not be reproduced. And without these logs, an RCA would be extremely challenging. Task 1 Establish that JVM has experienced memory overload. This can be known by searching the info collector log with string OutOfMemoryError. The most preferred way is to perform a global search in all the files part of InfoCollector whose file name starts with ems* - with wildcard, which can be done using text editors like TextPad. If there are no search results, it signifies that JVM does not experience any memory issue because of the Manager application, but it could be caused by other applications or some operating System dlls - check JVM crash files. 2 If there is above exception, check the emsmem logs to know the time of memory and frequency; usually most cases exhibit either slow memory, over a period of days or months, or sudden decrease in memory. 3 After establishing the time of memory leak, check alert rate in aqcount logs. The recommended value is maximum 60alert/sec; Any value above this value over a period of time can cause memory issues. Alert Rate can be calculated from aqcount logs using the following method: Look for an entry similar to : " :27:52,012 AltQ:EPR-RCD: ".There are three important information that needs to extracted namely : (t1)timestamp( :27:52,012) Alert received string(altq:epr-rcd) alert count( ). Now look for next immediately occurring entry which contains "AltQ:EPR-RCD";this entry will have an alert count greater by so if the above example is considered then alert count will be and note the (t2)timestamp of this entry Alert Rate = 300/(t2-t1) 4 Check the MySQL errors logs to find if there are any errors messages. 5 Check Slowquery logs to find out if there are any queries that are being called repeatedly and taking considerable amount time to execute - more than 5-10 minutes. 6 Search for all the error messages in ems logs using string "error" - similar to first step. Observe for the error messages that have occurred during the time interval of memory leak. 7 If heap dump -.bin file with prefixes 850heap, 1500heap - is available then it can be used in the heap dump analyzer tools like MAT, VisualVM which will identify the suspects causing memory leak. The Manager interface does not work after JRE update Problem/Symptom: The JRE on the client workstation was updated from version 1.6 to version 1.7 and now portions of the Manager interface does not work. Potential Cause: The Manager prior to and did not support JRE 1.7. If you want to run JRE 1.7, you must install the Manager versions that supports Java version 1.7. McAfee Network Security Platform

34 1 Troubleshooting Network Security Platform Issues and status checks for the Manager If you cannot upgrade the Manager to the version that support 1.7, you must re-install Java 1.6 on your client system. Remedy: If the Manager is version 7.1. or below, then upgrade to version or higher, refer to release notes Network Security Platform M-series Release Notes If you cannot upgrade the Manager to the version that supports Java 1.7, you will need to re-install JRE 6.x from the 'Add Remove programs'. Uninstall Java 7. Reconnect to the Manager and install the Java version when prompted. Message on loading the Manager does not disappear Problem/Symptom: A message is displayed stating "NSM is currently loading" but the message does not go away even after several minutes. Potential Cause: The Manager server (Java) tries to establish connections to the web server. If any of the server communication are not established, the Manager will not startup properly. The problem might be due to: Java process not running on serverclient. The client cannot talk to server (blocked ports). Database not running on the server. The Manager server process is not running on the appliance or on the Manager software. Remedy: Verify that the service is started and running properly. 1 From the Start Menu search bar type 'cmd' to open the command-prompt with elevated privileges. 2 Run the command IMAGENAME eq java.exe to verify if Java is running on the server. 3 Check the output for java.exe on the server to ensure that the mem usage is above 500MB. If there is nothing listed, the Manager service is not running. 4 Run the following commands on a command prompt to verify that 8501 to 8505 are open and actively listening. netstat -an find "LISTENING" find "8501" netstat -an find "LISTENING" find "8502" netstat -an find "LISTENING" find "8504" netstat -an find "LISTENING" find "8505" netstat -an find "LISTENING" find "8503" 5 Verify if mysql is running, by executing the command netstat -an find "LISTENING" find "3306". 6 Try to start the Manager manually by running tms.bat from <install path>/app/bin/. Look for error messages at the bottom of this output. 7 Check the bottom of the emsout.log file in <install path>/app/ for errors. 34 McAfee Network Security Platform 9.1

35 Troubleshooting Network Security Platform Issues and status checks for the Manager 1 Unable to log on to the Manager after typing credentials Problem/Symptom: From the logon page, after typing the user name and password, the Manager application does not open. It displays only a blank page. Potential Cause: The Manager requires the window's pop-up capability to be disabled or have an exclusion configured. Remedy: Disable the pop-up blocker functionality. or Create an exception for the Manager server IP addresses. Table 1-1 Internet Explorer To disable pop-up blocker 1 From the command prompt, execute the command Inetcpl.cpl. The Internet Properties window is displayed. 2 In the Privacy tab, deselect the checkbox option Turn on Pop-up Blocker. To add exception to pop-up blocker list 1 From the command prompt, execute the command Inetcpl.cpl. The Internet Properties window is displayed. 2 In the Privacy tab, select the Turn on Pop-up Blocker checkbox. 3 Click Settings. The Pop-up Blocker Settings window is displayed. 4 In the Address of website to allowfield, add the IP address or host name of the Manager to the list of websites to be allowed. Table 1-2 Mozilla Firefox To disable pop-up blocker 1 In the Firefox browser,select Tools Options and click the Content tab. 2 Deselect the, Block pop-up windows checkbox. To add exception to pop-up blocker list 1 In the Firefox browser, select to Tools Options and click on the Content tab. 2 Select the Block pop-up windows checkbox. 3 Click Exceptions. The Allowed sites Pop-ups window is displayed. 4 In the Address of website text field, add the IP address or host name of the Manager to the list of web sites to be allowed. Table 1-3 Google Chrome To disable pop-up blocker 1 In the Google Chrome browser, type the following in the address bar: chrome://chrome/settings/content. The Content Settings window is displayed. 2 Select Allow all sites to show pop-ups. To add exception to pop-up blocker list 1 In the Google Chrome browser, type the following in the address bar: chrome://settings/contentexceptions#popups. The Content Settings window is displayed. 2 In the Hostname pattern field, add the IP address or host name of the Manager to the list of exceptions. Sections of the interface that do not load properly Problem/Symptom: Sections of the interface that do not load properly or a Java logo is displayed instead of the Manager interface. McAfee Network Security Platform

36 1 Troubleshooting Network Security Platform Issues and status checks for the Manager Potential Cause: There might be a conflict with the version of Java running on the client machine. This happens during an upgrade to the Manager or to Java or any application that uses Java. An older/different version of Java might be loaded, causing the Manager to behave inconsistently. The Manager supports all minor versions of Java, either version 1.6 or 1.7. If you need to run Java version 1.7, you must run version or higher or the Manager version or higher. If the base Java version is supported (either version 1.6 or 1.7), then there might be a version mis-match on your client machine. Clearing the cache will ensure there is only one version on the endpoint. Also verify there is only one version of Java running on the client workstation. Remedy: In the Control Panel navigate to Java Control Panel window. Refer KB55469 at kc.mcafee.com to determine which Java version shipped on your version of the Manager. Try clearing temporary files using Java control panel, by performing the following steps. 1 In the Java Control Panel click the Settings tab. 2 Click Delete Files. 3 Select the files to be deleted and click OK. Uninstalling the currently installed client JRE will allow the Manager to push the default shipped JRE back to the client and ensure that it is installed properly. Uninstall the currently installed version by closing all browser windows and using the add/remove programs function to uninstall Java. Login button does not work Problem/Symptom: The Login button does not work. Potential Cause:Internet Options are too restrictive. Remedy: Verify the following Internet Explorer browser settings by executing the Inetcpl.cpl command from the command prompt. The Manager IP address or host name can be added to the trusted sites. Or Modify the security zone s settings to allow the required changes. To modify the settings: 1 Click the Security tab. 2 Click Custom Level and enable the following entries: Run ActiveX Controls & Plugins Script ActiveX Controls mark safe for scripting Downloads: File Download Scripting: Active Scripting 36 McAfee Network Security Platform 9.1

37 Troubleshooting Network Security Platform Issues and status checks for the Sensor and Manager in combination 1 3 Click the Advanced tab and scroll down to the Security section. 4 Verify that the option Do not save encrypted page to disk is deselected. Automatic Windows update fails in the Manager Problem/Symptom: The automatic Windows update fails and the Windows update log has the following error: Handler WARNING: DPX failed with 0x Potential Cause: Proxy or firewall settings do not allow range request. Remedy: In the proxy server that you use, change the setting to allow a range request and ensure that the range value is wide. The DPX (Delta Package expander) is a Windows setting and is pre-set by default. It is recommended not to change or disable the DPX setting to fix this problem. Issues and status checks for the Sensor and Manager in combination This section describes issues and status checks when the Sensor and Manager are connected. Contents Difficulties connecting Sensor and Manager Loss of connectivity between the Sensor and Manager DoS troubleshooting Difficulties connecting Sensor and Manager If you experience problems getting the McAfee Network Security Manager (Manager)and Sensor to communicate, see if one of the following situations might be the cause. Network connectivity Ensure that the Sensor and Manager server have power and are appropriately connected to the network. Verify the link indicator lights on both devices to indicate they have an active link. Ping the Sensor and Manager server to ensure that they are available on the network. Inconsistency in Sensor and Manager configuration Verify that the Sensor name that was entered in the CLI is identical to that entered in the Manager. Ensure the same for the shared secret key value. If these values do not match, the two cannot communicate. The Sensor name is case sensitive. Check the network addresses for the Manager, the Manager's gateway, and the Sensor to ensure everything is configured correctly by typing show at the Sensor CLI command prompt. McAfee Network Security Platform

38 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor and Manager in combination Software or signature set incompatibility Verify that the Sensor software image, Manager software version, and signature set version are compatible. This information is provided in the release notes that accompany each product release. The Manager version must be higher than the Sensor software version. Recommend that you refer to the release notes of both the Manager and Sensor software to verify compatibility. Consider that your Manager version is and the Sensor is an NS-series Sensor on software version Version for NS-series Sensors was released after Manager version By referring to the release notes of Manager , you can verify that Manager can manage an NS-series Sensor on Firewall between the devices If there is a firewall between the Sensor and the Manager server, make sure the devices are able to communicate by opening the appropriate ports. Ports used by the Manager server are listed in the McAfee Network Security Platform Installation Guide. Management port configuration If you experience problems getting your Sensor and Manager to communicate, it might be a communication issue between the Sensor's Management port and the network device to which it is connected. Check the Management Port Link indicator lights on the Sensor; if the link is down, see if any of the following suggestions enable connectivity. Check that the network device is online. Check the cable connecting the Sensor to the network device. Ensure that the port on the device to which the Management port is connected is enabled and active. The port speed and duplex mode of the two devices must match. For example, if the device connecting to the Sensor is not set to auto-negotiate, you must configure the Management port to use the same settings as those of the device connecting to the Management port. To troubleshoot this, use the set mgmtport command. Check the link LEDs on the devices to see if communication is established, or use the show mgmtport command to show the link's status. Try each of these configuration options to see if one establishes a link: 1 If possible, set the other device's port configuration to auto-negotiate. (The Sensor is set to auto-negotiate by default.) 2 Using the set mgmtport command as described below in Setting the management port speed and duplex mode, try setting the speed and port of the Sensor to speed 100 and duplex half or full. 3 If no link is established, try speed 10 and duplex half or full. 4 If none of these attempts creates a link, try setting the port on the other device to a speed of 100, duplex half or full, and try step 2 again. 5 If this does not establish a link, you can then do the same, setting the other device to a speed of 10, duplex half or full, and try step 3 again. 6 If you are still experiencing difficulties, contact McAfee technical support. M series Sensors Management port support 1000 Mbps(1 Gbps) too. Use the set mgmtport auto command to establish a link to the connecting device (before performing this, see to it that the other device's port configuration's speed is fixed to 1000 and also set to auto-negotiate). 38 McAfee Network Security Platform 9.1

39 Troubleshooting Network Security Platform Issues and status checks for the Sensor and Manager in combination 1 Set the management port speed and the duplex mode Task Set the speed of the Management port and whether the port should be set to half-or full-duplex. At the prompt, type: set mgmtport speed < > duplex <half full> where< 10> indicates 10 Mbps, < 100> indicates 100 Mbps, < 1000> indicates 1000 Mbps, < half> indicates half-duplex, and < full > indicates full-duplex Mbps is applicable only for M-series Sensors. Example: set mgmtport speed 100 duplex half. Loss of connectivity between the Sensor and Manager If you have previously established a connection between the Sensor and the Manager and the connection fails, try the following: Check network connectivity. View the system status on both the Manager and the Sensor. Check to ensure the Management port on the Sensor is configured with the proper speed and duplex mode as described in Management port configuration. Has the time been reset on the Manager server? The connection between the Sensor and Manager server is secure, and this secure communication is time-sensitive, so the time on the devices should remain synchronized. You must set the time on the Manager server before you install the Manager software and never change the time on that machine. If the time changes on the Manager server, the Manager will lose its connectivity with the Sensor and the Update Server. A time change could ultimately cause serious database errors. For more information, see the KnowledgeBase article KB (Go to and click Search the KnowledgeBase.) How Sensor handles new alerts during connectivity loss The Sensor stores alerts internally until connection is restored. Network Security Platform classifies events and prioritizes to ensure the buffer is filled with the most meaningful events to an analyst. The following table lists the number of alerts that can be stored locally on the Sensor. Number Alert Type Signature based alerts 2500 Throttled alerts (with source and destination IP information) 2500 Compressed throttled alerts (alerts with no source and destination IP information) 2500 Statistical or anomaly DoS 2500 Throttled DoS alerts 1000 Host sweep alerts 1000 Port scan alerts Once the connection from the Sensor to the Manager has been re-established, the queued alerts are forwarded up to the Manager. So the customer will retain them even in the event that connectivity is disrupted for some time. McAfee Network Security Platform

40 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor and Manager in combination If the buffer fills up before connectivity is restored, the Sensor will drop new alerts, but if blocking is enabled, the Sensor will continue to block irrespective of the Sensor's connectivity with the Manager. DoS troubleshooting Issues related to DoS alerts. Applicable to Sensor models: M-series, NS-series Problem scenario DoS alerts raised in Network Security Manager. Data/Information Collection 1 Execute show dospreventionprofile <dos-measure-name> <inbound/outbound> in the Sensor. 2 Trace the Sensor files. Troubleshooting Steps 1 Check for the source IP of the profile learning each of the packet types. Execute the following commands: show dospreventionprofile tcp-syn inbound/outbound show dospreventionprofile tcp-syn-ack inbound/outbound show dospreventionprofile tcp-rst inbound/outbound show dospreventionprofile udp inbound/outbound show dospreventionprofile icmp-echo inbound/outbound show dospreventionprofile icmp-echo-reply inbound/outbound show dospreventionprofile icmp-non-echo-echoreply inbound/outbound show dospreventionprofile ip-fragment inbound/outbound show dospreventionprofile non-tcp-udp-icmp inbound/outbound Check the bins for long-term average traffic rate and short-term average traffic rate values. An alert is raised when the short-term traffic rate is higher than the long-term traffic rate. 40 McAfee Network Security Platform 9.1

41 Troubleshooting Network Security Platform Issues and status checks for the Sensor and Manager in combination 1 2 Check bins that are blocked. A sample of the source IP profile during the detection stage which indicates the blocked bins is shown in the figure. McAfee Network Security Platform

42 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor and Manager in combination 3 If many DoS alerts are raised frequently for a particular IP, it could be false positive. The reason could be due to the profile of that IP not studied properly. 4 For volume related alerts (for example, if the inbound UDP volume is too high), check if the IP is missing in the alert details. To check the alert details, navigate to Analysis <Admin Domain Name> Attack Log and select the alert by clicking on it twice. Solution Relearn the profile to resolve the issue. 42 McAfee Network Security Platform 9.1

43 Troubleshooting Network Security Platform Issues and status checks for the Sensor and other devices in combination 1 DoS scenarios Observed value is calculated based on the following formula: Observed value = (collected count * (threshold duration/collected duration)) When there is a burst of traffic, and the threshold is reached, the Sensor starts collecting the DoS IP information. This results in showing the packet count as zero, whereas the actual observed value is very high. This works in accordance with the design. Similarly, in some scenarios the packet count is a non-zero value, whereas the actual observed value is zero. This happens when the traffic has stopped but the DoS IP collection and attack detection are still in progress. Issues and status checks for the Sensor and other devices in combination This section describes issues and status checks that involve a Sensor and any other devices, including third-party devices, that can be added. Connectivity issues between the Sensor and other network devices The most common Sensor problems relate to configuration of the speed and duplex settings. Speed determination issues can result in no connectivity between the Sensor and the switch. Duplex mismatches A duplex mismatch (for example, one end of the link in full-duplex and the other in half-duplex) can result in performance issues, intermittent connectivity, and loss of communication. It can also create subtle problems in applications. For example, if a Web server is talking to a database server through an Ethernet switch with a duplex mismatch, small database queries might succeed, while large ones fail due to a timeout. McAfee Network Security Platform

44 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor and other devices in combination Manually setting the speed and duplex to full-duplex on only one link partner generally results in a mismatch. This common issue results from disabling auto-negotiation on one link partner and having the other link partner default to a half-duplex configuration, creating a mismatch. This is the reason why speed and duplex cannot be hard-coded on only one link partner. If your intent is not to use auto-negotiation, you must manually set both link partners' speed and duplex settings to full-duplex. Valid auto-negotiation and speed configurations The table below summarizes all possible settings of speed and duplex for Sensors and Cisco catalyst switch ports. Table 1-4 Speed Configurations Network Security Platform Configuration 10/100/1000 port (Speed/Duplex) 100 Mbps Full-duplex Configuration of Switch (Speed/Duplex) 1000 Mbps Full-duplex Resulting Sensor (Speed/Duplex) Resulting Catalyst (Speed/Duplex) Comments No Link No Link Neither side establishes link, due to speed mismatch 100 Mbps Full-duplex AUTO 100 Mbps Full-duplex 100 Mbps Full-duplex Correct configuration 100 Mbps Full-duplex 1000 Mbps Full-duplex 100 Mbps Full-duplex 100 Mbps Full-duplex Correct Manual Configuration 100 Mbps Half-duplex 10 Mbps Half-duplex 10 Mbps Half-duplex AUTO AUTO 1000 Mbps Half-duplex 100 Mbps Half-duplex 100 Mbps Half-duplex 100 Mbps Half-duplex 100 Mbps Half-duplex Link is established, but switch does not see any auto-negotiation information from McAfee Network Security Platform and defaults to half-duplex when operating at 10/100 Mbps. Link is established, but switch does not see Fast Link Pulse (FLP) and defaults to 10 Mbps half-duplex. No Link No Link Neither side establishes link, due to speed mismatch. Gigabit auto-negotiation (no link to connected device) Gigabit Ethernet has an auto-negotiation procedure that is more extensive than that which is used for 10/100 Mbps Ethernet (per Gigabit auto-negotiation specification IEEE 802.3z-1998). The Gigabit auto-negotiation negotiates flow control, duplex mode, and remote fault information. You must either enable or disable link negotiation on both ends of the link. Both ends of the link must be set to the same value or the link will not connect. If either device does not support Gigabit auto-negotiation, disabling Gigabit auto-negotiation forces the link up. Troubleshooting a Duplex Mismatch with Cisco Devices When troubleshooting connectivity issues with Cisco switches or routers, verify that the Sensor and the switch/ routers are using a valid configuration. The show intfport <port> command on the Sensor CLI will help reveal errors. 44 McAfee Network Security Platform 9.1

45 Troubleshooting Network Security Platform Issues and status checks for the Sensor and other devices in combination 1 Sometimes there are duplex inconsistencies between Network Security Platform and the switch port. Symptoms include poor port performance and frame check sequence (FCS) errors that increment on the switch port. To troubleshoot this issue, manually configure the switchport to 100 Mbps, half-duplex. If this action resolves the connectivity problems, you might be running into this issue. Contact Cisco's TAC for assistance. Use the following commands to verify fixed interface settings on some Cisco devices that connect to Sensors: Cisco PIX Firewall interface ethernet0 100full. Cisco CSS interface ethernet-3 phy 100Mbits-FD Cisco catalyst 4000, 5000, 6000 series (native) set port speed 1/1 100 set port duplex 1/1 full Connectivity issues with Cisco S switch Use the following ports when connecting a Cisco s switch to your Sensor: 3, 4, 7, 8, 11, or 12. Connections using ports 1, 2, 5, 6, 9, or 10 might cause network issues, which is an inconsistent delay of packets. Cisco CSS interface ethernet-3 phy 100Mbits-FD Explanation of CatOS show port command counters Counter Description Possible causes Alignment Errors FCS Xmit-Err Alignment errors are a count of the number of frames received that do not end with an even number of octets and have a bad CRC. FCS error count is the number of frames that were transmitted or received with a bad checksum (CRC value) in the Ethernet frame. These frames are dropped and not propagated onto other ports. This is an indication that the internal transmit buffer is full. These are the result of collisions at half-duplex, duplex mismatch, bad hardware (NIC, cable, or port), or a connected device generating frames that do not end with on an octet and have a bad FCS. These are the result of collisions at half-duplex, duplex mismatch, bad hardware (NIC, cable, or port), or a connected device generating frames with bad FCS. This is an indication of excessive input rates of traffic. This is also an indication of transmit buffer being full. The counter should only increment in situations in which the switch is unable to forward out the port at a desired rate. Situations such as excessive collisions and 10 Mb ports cause the transmit buffer to become full. Increasing speed and moving the link partner to full-duplex should minimize this occurrence. McAfee Network Security Platform

46 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor and other devices in combination Counter Description Possible causes Rcv-Err This is an indication that the receive buffer is full. This is an indication of excessive output rates of traffic. This is also an indication of the receive buffer being full. This counter should be zero unless there is excessive traffic through the switch. In some switches, the Out-Lost counter has a direct correlation to the Rcv-Err. UnderSize Single Collisions Multiple Collisions Late Collisions Excessive Collisions Carrier Sense Runts Giants These are frames that are smaller than 64 bytes (including FCS) and have a good FCS value. Single collisions are the number of times the transmitting port had one collision before successfully transmitting the frame to the media. Multiple collisions are the number of times the transmitting port had more than one collision before successfully transmitting the frame to the media. A late collision occurs when two devices transmit at the same time and neither side of the connection detects a collision. The reason for this occurrence is that the time to propagate the signal from one end of the network to another is longer than the time to put the entire packet on the network. The two devices that cause the late collision never see that the other is sending until after it puts the entire packet on the network. Late collisions are detected by the transmitter after the first time slot of the 64-byte transmit time occurs. They are only detected during transmissions of packets longer than 64 bytes. Its detection is exactly the same as it is for a normal collision; it just happens later than it does for a normal collision. Excessive collisions are the number of frames that are dropped after 16 attempts to send the packet resulted in 16 collisions. Carrier sense occurs every time an Ethernet controller wants to send data and the counter is incremented when there is an error in the process. These are frames smaller than 64 bytes with a bad FCS value. These are frames that are greater than 1518 bytes and have a bad FCS value. This is an indication of a bad frame generated by the connected device. This is an indication of a half-duplex configuration. This is an indication of a half-duplex configuration. This is an indication of faulty hardware (NIC, cable, or switch port) or a duplex mismatch. This is an indication of over utilization of the switch port at half-duplex or duplex mismatch. This is an indication of faulty hardware (NIC, cable, or switch port). This is an indication of the result of collisions, duplex mismatch, IEEE 802.1Q (dot1q), or an Inter-Switch Link Protocol (ISL) configuration issue. This is an indication of faulty hardware, dot1q, or an ISL configuration issue. Auto-negotiation Auto-negotiation issues typically do not result in link establishment issues. Instead, auto-negotiation issues mainly result in a loss of performance. When auto-negotiation leaves one end of the link in, for example, full-duplex mode and the other in half-duplex (also known as a duplex mismatch), errors and re-transmissions can cause unpredictable behavior in the network causing performance issues, intermittent connectivity, and loss of communication. Generally these errors are not fatal-traffic still makes it through, but locating and fixing them is a time waster. 46 McAfee Network Security Platform 9.1

47 Troubleshooting Network Security Platform Issues and status checks for the Sensor and other devices in combination 1 Situations that might lead to auto-negotiation issues Auto-negotiation issues with the Sensor might result from nonconforming implementation, hardware incapability, or software defects. Generally, if the switch used with the Sensor adheres to IEEE 802.3u auto-negotiation specifications and all additional features are disabled, auto-negotiation should properly negotiate speed and duplex, and no operational issues should exist. Problems might arise when vendor switches/routers do not conform exactly to the IEEE specification 802.3u. Vendor-specific advanced features that are not described in IEEE 802.3u for 10/100 Mbps auto-negotiation (such as auto-polarity or cabling integrity) can also lead to hardware incompatibility and other issues. DNS connectivity and reputation issues DNS connectivity DNS connectivity to the Sensor sometimes has issues due to incorrect configuration or incorrect DNS server IP address. You can view the DNS connectivity fault in the System Faults page in the Manager. The Device DNS server connectivity status faults are generated by the Sensor whenever there is an issue in DNS connectivity. Figure 1-5 DNS server connectivity warning fault Figure 1-6 GTI server connectivity critical fault McAfee Network Security Platform

48 1 Troubleshooting Network Security Platform Issues and status checks for the Sensor and other devices in combination You can perform the following high-level troubleshooting steps to solve the connectivity problem: 1 Check the Devices <Admin Domain Name> Global Common Device Settings Name Resolution for the global level setting in the Manager to see if the parent domain has the primary and secondary DNS server information entered correctly. Figure 1-7 Global level DNS server setting 2 If the global setting has the correct information, check the Devices <Admin Domain Name> Devices <Device Name> Setup Name Resolution device level setting to see if it inherits the global settings. Make sure that the Inherit Settings? is selected and also check if the inherited information is correct. Figure 1-8 Device level DNS server setting If the connectivity problem still persists contact McAfee Support for further assistance. GTI file reputation 48 McAfee Network Security Platform 9.1

49 Troubleshooting Network Security Platform Issues and status checks for the Sensor and other devices in combination 1 In case of any errors for file reputation analysis, you can perform the following high-level troubleshooting steps: 1 Check if the malware detection is enabled in Policy <Admin Domain Name> Intrusion Prevention Policy Types Advanced Malware Policies. 2 In case of file reputation, the request is sent for bad file reputation. The file is sent as an MD5 checksum in DNS requests. If there is no response from the DNS, check the DNS connectivity. If the DNS connectivity has any issues, perform the high-level steps mentioned under DNS connectivity to solve the problem. If the DNS connectivity is working correctly, there will a response for the file reputation request. Confirm the connectivity by executing and checking the output of show malwareenginestats CLI command. Check the output of malware statistics for GTI file reputation engine. The Number of files sent and Number of response Received should show an increase in comparison with the number of files sent/ received before sending the reputation request. Malware Statistics for GTI File Reputation Engine Number of files sent: Number of response Received: 9377 Number of files ignored: 1755 Number of files with malware score clean: 0 Number of alerts with malware score very low: 37 Number of alerts with malware score low: 0 Number of alerts with malware score medium: 0 Number of alerts with malware score high: 0 Number of alerts with malware score very high: 1233 Number of alerts with malware score unknown: 8051 Total number of alerts sent: 1233 Total number of attacks blocked: 1233 Total number of TCP resets sent: 1233 If the connectivity problem still persists contact McAfee Support for further assistance. GTI IP reputation When a syn packet is seen, the Sensor checks to see if IP reputation is enabled for that port/protocol. When enabled, the Sensor sends a query to the management process. The first flow is always allowed to pass through since the reputation score is not available. After a reputation score is assigned to the packet, the score is updated to the Sensor. The subsequent flows from the same IP address is marked with the reputation score in the header for lookup in datapath processor. Source IP is checked for inbound flows, and destination IP is checked for outbound flows, even though the entire 5-tuple is passed in the query. McAfee Network Security Platform

50 1 Troubleshooting Network Security Platform Issues and status checks for 40 Gigabit Active Fail-Open Bypass Kit The Sensor connectivity status with GTI server critical fault is generated by the Sensor in the Manager whenever the GTI server has connectivity issues to the Sensor. Figure 1-9 Sensor connectivity fault You can perform the following high-level troubleshooting steps to solve the connectivity problem: 1 Check if proxy configuration is required. If the organization has a firewall/proxy between the Sensor management port and the cloud, then the proxy has to be configured with username/password if required. You can configure the proxy server under Manager <Admin Domain Name> Setup Proxy Server. 2 Port 443 should not be blocked on the management port network. 3 Check the Devices <Admin Domain Name> Global Common Device Settings Name Resolution for the global level setting in the Manager to see if the parent domain has the primary and secondary DNS server information entered correctly. If the connectivity problem still persists contact McAfee Support for further assistance. Issues and status checks for 40 Gigabit Active Fail-Open Bypass Kit This section describes all issues and status checks specific to the 40 Gigabit Active Fail-Open Bypass Kit. Contents Unable to login to the system due to credential related issue Active fail-open kit does not work after login Packets getting dropped or network latency issues Active fail-open kit module is stuck in Bypass Mode ALM LED is stuck on RED Additional troubleshooting tips Unable to login to the system due to credential related issue To reset the login credentials, do the following: 1 Connect RS232(RJ45) cable to the console port of the active fail-open kit chassis. 2 Press the M1 and M3 buttons on the chassis for 10 seconds. This will reset the parameters to default settings. 50 McAfee Network Security Platform 9.1

51 Troubleshooting Network Security Platform Issues and status checks for 40 Gigabit Active Fail-Open Bypass Kit 1 3 Login to the active fail-open kit chassis using the default username and password. The default Username and Password are McAfee00. 4 Configure the basic settings like IP address, Netmask, Gateway, and web connectivity. Active fail-open kit does not work after login After the initial install, if you are facing the following issues with the active fail-open kit: The network or monitor links do not come up. Active fail-open kit does not go to inline or bypass mode. Reset the active fail-open kit to factory default settings using the following steps: 1 Check the fiber cables and transceivers connections. 2 If the connections are proper, connect RS232(RJ45) cable to the console port of the active fail-open kit chassis. 3 Execute the set_default CLI command. This will reset the parameters to default settings. 4 Login to the active fail-open kit chassis using the default username and password. The default Username and Password are McAfee00. 5 Configure the basic settings like IP address, Netmask, Gateway, and web connectivity. 6 Confirm if the links are up or the active fail-open kit is functioning properly. 7 If resetting the active fail-open kit does not fix the issue, RMA the module. Packets getting dropped or network latency issues Troubleshoot the issue by doing the following: 1 Force the Sensor into Bypass mode from the web interface: a Log in to the web interface. b c d e Go to the Bypass page. In the Bypass page, set HB active mode to OFF. Set Active Bypass to Bypass mode. Click Apply. Monitor the network traffic. If the issue persists, troubleshoot the Sensor in your environment to resolve the issue. If the issue does not persist, go to the next step. 2 In the Bypass page, set HB active mode to ON. 3 Put the Sensor in layer 2 mode using the layer2 mode assert command from the Sensor CLI. 4 Monitor the network traffic. If the issue persists, issue is with the Sensor. McAfee Network Security Platform

52 1 Troubleshooting Network Security Platform Issues and status checks for 40 Gigabit Active Fail-Open Bypass Kit Active fail-open kit module is stuck in Bypass Mode Links between Sensor and active fail-open module Mon0/Mon1 are up but the Sensor is not receiving any traffic from the active fail-open module. When this occurs, the BYP/TAP/DISC LED is Amber and INLINE LED is OFF. You can troubleshoot the issue using the two methods: At the CLI, run the following commands: 1 get_hb_act_mode - If HB active mode is off, enter the next command. 2 get_bypass_mode - If Active state is bypass, enter the next command. 3 set_hb_act_mode on 4 set_bypass_mode inline 52 McAfee Network Security Platform 9.1

53 Troubleshooting Network Security Platform Issues and status checks for 40 Gigabit Active Fail-Open Bypass Kit 1 From the web interface: 1 Check if the Active State is in Inline or Bypass or Tap. 2 Check if the Appl State is unknown. This means that the module in forced bypass state. 3 In the Bypass page, confirm that HB active mode is set to ON. ALM LED is stuck on RED To reset the ALM LED, do the following: 1 Confirm that all the faults have been cleared. 2 At the CLI, run the following commands: get_dev_state - Displays the current state of the device. get_power_state - Displays the current state of the power supply. McAfee Network Security Platform

54 1 Troubleshooting Network Security Platform Issues and status checks for 40 Gigabit Active Fail-Open Bypass Kit reset_err - Resets the ALM LED. Run this command if the fan faults and power supplies have been corrected via RMA. if FAN FRUs or Power Supplies have been hot inserted, reset_err command will not clear the faults. A system reboot (type reboot) is required to clear the faults. get_log - Displays the faults that are triggered or are being triggered. Additional troubleshooting tips Power settings Press and hold the PWR button for at least 4 seconds, to do a power cycle. Press and hold the PWR button for at least 8 seconds, to do a power shutdown. System reset Press and hold the RST button for at least 1 seconds, to do a system reset. Force active fail-open bypass Kit module to Bypass or Tap mode 1 From the web client, go to Bypass tab. 2 Click the HB active mode drop down and select off. 3 Click the Active Bypass drop down and select bypass or tap. 4 Click Apply. CLI attributes After logging into the active fail-open bypass Kit CLI, depending on your access level you will see one of the two login prompts: Info.m1s1.40g: AFO$ Ctrl.m1s1.40g: AFO$ The description of each parameter is given below: 54 McAfee Network Security Platform 9.1

55 Troubleshooting Network Security Platform Issues and status checks for 40 Gigabit Active Fail-Open Bypass Kit 1 Parameter Info Ctrl m1s1 Definition Read only mode Read\Write mode Module 1 - Segment 1 is being accessed. This is the default module at log on. The value for the Segment will always be 1. 40g AFO Type of active fail-open bypass kit. Active fail-open bypass kit. This value will always remain the same. Disconnecting an active session From the CLI, type exit. From the web client, click Logoff in the upper right hand corner. Changing the active fail-open bypass Kit module slot From the CLI, type set_seg <module_number> 1. The <module_number> parameter can have value of either 1, 2 or 3. List all the get commands From the CLI, type get help. The command displays the list of all the supported get commands. List all the set commands From the CLI, type set help. The command displays the list of all the supported get commands. Technical support information From the CLI, type get_support_info. The command displays information needed for the Technical Support team to help resolve technical problems. Display sessions logged into the system From the CLI, type display_sessions. CLI commands for troubleshooting The following CLI are applicable for 40 Gigabit Active Fail-Open Bypass Kit: Command display_sessions exit get_dev_prop get_dev_state get_seg Description Displays details of the active CLI sessions. Ends current session. Once the sessions ends, the user who logged in after this session started will have Read/Write access. Displays device properties. Displays state of the device. Displays details of the module and segment that are being used. McAfee Network Security Platform

56 1 Troubleshooting Network Security Platform Integration Scenarios Command get_support_info <parameter> <number_of_lines> Description Displays information needed for the Technical Support team to help resolve technical problems. This command takes the following parameters: <parameter> - Can be one of the following values: swd_log - Displays lines of swdaemon log file. kern_log - Displays lines of kernel. snmp_log - Displays lines of snmp log file. <number_of_lines> - Number of lines to be displayed. power_off reboot Shuts down the chassis. Reboots the chassis. The chassis needs to be rebooted when a new module is inserted or if an old module is reseated. reset_err set_default set_psw <old_password> <new_password> set_seg <module> <segment> Clears the ALM LED once error condition is corrected. Resets parameters to factory default. Changes the current password. Changes the module and the segment to a different active fail-open module in a different slot (either 1 or 2 or 3). The value for the <segment> parameter will always be 1. set_session_exp_time <seconds> set_time get help set help Sets the CLI and web sessions to timeout in seconds. The default value is 900 seconds. The maximum allowed value is seconds. Sets the time to user specific time zone. Coordinated Universal Time (UTC) is the default time zone. Displays all the supported get commands. Displays all the supported set commands. Integration Scenarios This section explains about the troubleshooting in integration scenarios and the required steps for troubleshooting. Tasks Global Threat Intelligence - API Overload on page 56 epo - Connection failure on page 57 Vulnerability Manager - Connectivity issues on page 59 Vulnerability Manager - Certificate Sync and FC Agent issues on page 60 Logon Collector - Integration issues on page 61 Global Threat Intelligence - API Overload When the Manager integrates with Global Threat Intelligence to obtain the reputation scores on hosts and geo locations, the API is used to send back the feature usage data to McAfee and there is a possibility of the API getting overloaded. 56 McAfee Network Security Platform 9.1

57 Troubleshooting Network Security Platform Integration Scenarios 1 Perform the following steps for troubleshooting: Task 1 If the proxy server is enabled, verify that "tunnel.web.trustedsource.org" is allowed by proxy server ACLs. 2 In the Manager, select Manager Integration GTI and check if the Alert Data Details option is enabled. 3 Check if SDK boot straps to Global Threat Intelligence cloud successfully by checking for below in ems.log :55:01,510 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper - Major version: :55:01,510 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper :55:01,510 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper - Minor version: :55:01,510 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper :55:01,510 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper - Version description: :55:01,510 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper - TrustedSource SDK (Build 1117) :55:01,510 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper - Version: :55:01,511 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper :55:01,672 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper - Using Proxy Server: , port: :55:01,780 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper - Device Id: 9b11e1c4-069e dd1-c2842ba338f :55:01,780 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper - MIICZjCCAc +gawibagicefiwdqyjkozihvcnaqefbqawnjezmbcga1ueaxqqvhj1c3rlzfnvdxjjzv9dqtemmaoga1ue ChMDU0NDMQswCQYDVQQGEwJVUzAe :55:01,780 INFO [http ] com.intruvert.ts.helper.tsratinglookuphelper - MIICXQIBAAKBgQDegOtxL2JHaGLwU6RTQKPfGtzMp3zxiKRc4yPqgPtIgZqReQj7yw6pqvpBmpcx/ OobEjs0hA8v0abE3BFwEX0Mezre2B9NpPhuJnNHhe4c/cGdxtC53 epo - Connection failure If there is a connection failure between the Manager and the epo server, perform the following steps for troubleshooting. In the Manager: 1 Ensure that the provided configurations like IP address, port numbers, user name and the password to the epo server are correct. 2 Ping or try to access epo server directly from the Manager server. If it is not accessible, check the firewall configuration and follow other regular network troubleshooting steps. 3 Ensure that the required permissions are given to the configured user name. To isolate the permission issue, use global administrator user name or password for testing the connection. If the connection is successful with global administrator credentials, then it could be a problem with configured user name. McAfee Network Security Platform

58 1 Troubleshooting Network Security Platform Integration Scenarios 4 Check these log files for any errors: For Manager Versions below 7.5.5: Check ems.log file for any errors For Manager Version and above: Check epo.log file for any errors 5 Manager uses the following URLs. Try accessing them from the Manager server through a browser. EPO_SERVER_IP:8443/remote/ISExtension.HostForensicsCommand.do? command=gethostdetails&ip=[specify_ip] Check these logs files. Following denotes is a successful "TestConnection" :09:51,500 INFO [ajp ] iv.common.httpclient.apachegetimpl - doget(), succesfully made the request to http client, url is ISExtension.HostForensicsCommand.do? command=gethostdetails&ip= &orion.user.security.token=tpc5pvsnvhxo3fis The following denotes an error in connection ems.log.3: :15:10,914 ERROR [ajp ] iv.common.httpclient.apachegetimpl - doget:error while doing the http get function for the url ISExtension.HostForensicsCommand.do? command=gethostdetails&ip= &orion.user.security.token=ksffjtchbzrce0ij the error isjava.net.sockettimeoutexception: Read timed out ems.log.3: :48:21,435 ERROR [ajp ] iv.common.httpclient.apachegetimpl - doget:error while doing the http get function for the url In the epo 1 Ensure that the epo server has the latest NSP Extension installed. The NSP Extension file needs to be installed on the epo server to help establish communication between Network Security Platform and epo. 2 Ensure that the required permissions are given to the configured username. Check if user has sufficient permission to access NSP Extension. In Menu User Management Users desired User note down "Permissions Sets". In Menu User Management Permission sets select the permission that is assigned to this user. Check if Network Security Platform has view and change settings. 3 To test the connection to the Manager server, manually run the NSP:Dashboard Data Pull Task. If connection fails, ping or try to access the Manager server directly from the epo server. If connection fails, check the firewall and follow regular network troubleshooting steps. 4 Check orion.log file for any error messages at C:\Program Files\McAfee\ePolicy Orchestrator\Server\Logs \orion.log. If test connection is carried out from child admin domain then make test connection for parent admin domain by following above trouble shooting steps. 58 McAfee Network Security Platform 9.1

59 Troubleshooting Network Security Platform Integration Scenarios 1 Vulnerability Manager - Connectivity issues When you run through the integration wizard when connecting to the Vulnerability Manager database, the following error is displayed: The attempt to confirm connectivity with the McAfee Vulnerability Manager database has failed for the following reason: Internal Server Error Perform the following steps for troubleshooting: 1 Stop the service of the Manager. 2 Disable CBC protection mode in App/bin/tms.bat. 3 Open tms.bat file and do the following java option to turn off CBCProtection. set JAVA_OPTS=%JAVA_OPTS% -server -Xms768m -Xmx768m -Xss128K set JAVA_OPTS=%JAVA_OPTS% -XX:NewRatio=4 -XX:PermSize=128m -XX:MaxPermSize=256m -XX: +UseParallelOldGC set JAVA_OPTS=%JAVA_OPTS% -Dapp.home.dir="%APPROOT%" set JAVA_OPTS=%JAVA_OPTS% -Dapp.install.root="%APPROOT%" set JAVA_OPTS=%JAVA_OPTS% -Dapp.home.dir.url="%APPROOT%" set JAVA_OPTS=%JAVA_OPTS% -Dwin.dir="%WINDIR%" set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPUDPPort="4167" set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPIPaddress="" set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPIPv6address="" set JAVA_OPTS=%JAVA_OPTS% -Dpython.path="%JYTHONLIB%" set JAVA_OPTS=%JAVA_OPTS % -Div.policymgmt.RuleEngine.compiler.netl7antlr.strictCheckEnabled="FALSE" set JAVA_OPTS=%JAVA_OPTS% -Div.compiler.snort.dumpPCRE="TRUE" rem set JAVA_OPTS=%JAVA_OPTS% -Div.policymgmt.RuleEngine.compiler.enableAPforSPM="FALSE" set JAVA_OPTS=%JAVA_OPTS% -Div.compiler.snort.dumpSSIDandStates="TRUE" set JAVA_OPTS=%JAVA_OPTS% -Div.controlchannel.snmpv3.useLocalizedKeys="FALSE" set JAVA_OPTS=%JAVA_OPTS% -Dsun.lang.ClassLoader.allowArraySyntax=true set JAVA_OPTS=%JAVA_OPTS% -Djava.rmi.server.hostname="localhost" set JAVA_OPTS=%JAVA_OPTS% -Dcatalina.home="%CATALINA_HOME%" set JAVA_OPTS=%JAVA_OPTS% -Djsse.enableCBCProtection=false 4 Restart the Manager service. After performing these steps, run through the integration wizard to try and connect the Vulnerabiltiy Manager database. McAfee Network Security Platform

60 1 Troubleshooting Network Security Platform Integration Scenarios Vulnerability Manager - Certificate Sync and FC Agent issues Problem FC Agent service doesn't get installed while installing the Manager Solution To install FCAgent service: 1 Download the software vcredist_x86.exe and run it in that host. 2 Download link displaylang=en&id= At the command prompt, go to c:\program Files (x86)\foundstone\fcm and run the command fcagent -i to install the service. When you click on API tab in the Manager, internal server error is displayed This issue might be seen in some systems when the command sc query FCAgent is executed internally in the Manager. To run this command, the server in which manager is deployed might not have the right permission settings. the Administrator has to provide permission to run sc.exe. To change permission settings for sc.exe. 1 Go to //windows/system32/sc.exe. 2 Right-click sc.exe and select Properties. 3 Click the Security tab. 4 Add a local service and provide full permission. FCAgent service doesn't start in Manager server To integrate with Vulnerability Manager, the Manager must update the Windows registry. However, the user account used to run the Manager service will not have permissions to write to the Windows registry if the Manager is fully locked down. To give that user account the required permissions, follow these steps: 1 On the server running the Manager, run regedit.exe. 2 Change the permissions on registry and allow Full Control to 'Local Service' for the keys: HKLM HKLM\Software HKLM\Software\Foundstone 3 Right-click on these keys and choose Permissions. 4 Add the user account used to run the Manager service (likely LOCAL SERVICE). 5 Give that user account Full Control over the key. 6 Click OK. Changes take effect immediately. A reboot is not required. 7 In the API Server page, click Save. HKLM If the operating system is 64-bit, perform this procedure for these keys: HKLM\Software HKLM\Software\wow6432Node HKLM\Software\wow6432Node\Foundstone. 60 McAfee Network Security Platform 9.1

61 Troubleshooting Network Security Platform Integration Scenarios 1 Problem You are able to start the FC Agent service, clicking on 'Retrieve MVM Certificate' returns error message. Solution It might be because port 3801 is not enabled in the API server. Check if port 3801 has been enabled. Vulnerability Manager could be deployed in distributed mode where FCM Server could be in one server. The API Server, DB, Enterprise Manager and Scan Engines could be another server. In the API server page try configuring the FCM Server IP address and port Try clicking theretrieve MVM Certificate button. If the OnDemand scan fails, try changing the port back to Retrieve MVM certificate is failing even though the SSHStauscache and Statuscache keys are present in the registry This might occur if C:program files\found stone or C:program Files(x86) \Foundstone" does not have write permission for Local Service. 1 Add local service and giving full permission to local service. 2 Click Retrieve MVM Certificate again after giving the required permissions. Logon Collector - Integration issues To ensure connectivity between the McAfee Logon Collector and Manager, the following configurations are mandatory. Ensure that the Active Directory services are up and running. If the Active Directory (AD) is not configured correctly or down, then the Manager does receive Logon Collector updates and test connectivity does not get verified. Add the domain that needs to be monitored in the Logon Collector server. If the domain is not added test connection fails and the Manager does not receive Logon Collector updates. Ensure that all Logon Collector components of the Logon Collector server are running. While exchanging Logon Collector certificate with the Manager by pasting, ensure that you copy the certificate content to Notepad to remove any inadvertent spaces that might cause certificate exchange failure during connectivity. To verify that Manager is receiving Logon Collector updates, create a Firewall then double-click the Source User field to verify that the Groups are configured in the AD. As a part of the Manager-Sensor Logon Collector Integration, the Manager sends IP User mapping and User-Group mapping periodically on certain well defined events. The Sensor receives the Logon Collector updates from the Manager only when user-based Firewall policies are assigned to Sensors. Manager notifies the following two faults related to this integration which will be available in System Fault page: number of user configured in AD is more than or IP-user mapping is more than 100,000. MLC bulk update file exceeds 25mb limit which is a critical fault and user intervention is needed. McAfee Network Security Platform

62 1 Troubleshooting Network Security Platform Integration Scenarios 62 McAfee Network Security Platform 9.1

63 2 Performance 2 issues Most performance issues are related to switch port configuration, duplex mismatches, link up/down situations, and data link errors. Contents Sniffer trace Data link errors Sniffer trace A Sniffer details packet transfer, and thus a Sniffer trace analysis can help pinpoint switch and McAfee Network Security Platform performance or connectivity issues when the issues persist after you have exhausted the other suggestions in this document. Sniffer trace analysis reveals every packet on the wire and pinpoints the exact problem. Note that it may be important to obtain several Sniffer traces from different ports on different switches, and that it is useful to monitor ("span") ports rather than spanning VLANs when troubleshooting switch connectivity issues. Data link errors Many performance issues may be related to data link errors. Excessive errors usually indicate a problem. For more information, see also Configuration of Speed and Duplex settings. Half-duplex setting When operating with a duplex setting of half-duplex, some data link errors such as FCS, alignment, runts, and collisions are normal. Generally, a one percent ratio of errors to total traffic is acceptable for half-duplex connections. If the ratio of errors to input packets is greater than two or three percent, performance degradation may be noticeable. In half-duplex environments, it is possible for both the switch and the connected device to sense the wire and transmit at exactly the same time, resulting in a collision. Collisions can cause runts, FCS, and alignment errors, which are caused when the frame is not completely copied to the wire, resulting in fragmented frames. Full-duplex setting When operating at full-duplex, FCS, cyclic redundancy checks (CRC), alignment errors, and runt counters should be minimal. If the link is operating at full-duplex, the collision counter is not active. If the FCS, CRC, alignment, or runt counters are incrementing, check for a duplex mismatch. Duplex mismatch is a situation in which the switch is operating at full-duplex and the connected device is operating at half-duplex, or vice versa. The result McAfee Network Security Platform

64 2 Performance issues Data link errors of a duplex mismatch is extremely slow performance, intermittent connectivity, and loss of connection. Other possible causes of data link errors at full-duplex are bad cables, a faulty switch port, or software or hardware issues. 64 McAfee Network Security Platform 9.1

65 3 Determine 3 false positives This section lists methods for determining and reducing false positives. Contents Reduce false positives Tune your policies Reduce false positives Your policy determines what traffic analysis your McAfee Network Security Sensor (Sensor) will perform. McAfee Network Security Platform provides a number of policy templates to get you started toward your ultimate goal: prevent attacks from damaging your network, and limit the alerts displayed in the Attack Log page to those which are valid and useful for your analysis. There are two stages to this process: initial policy configuration and policy tuning.though these are tedious tasks, McAfee has extended its blocking options to include SmartBlocking, which only activates blocking when high confidence signatures are matched, thus minimizing the possibility of false positives. Network Security Platform is replacing its present Recommended for Blocking (RFB) designation with Recommended for SmartBlocking (RFSB) because this new level of granularity enables McAfee to recommend many more attacks the list of RFB attacks is a subset of the list of RFSB attacks. The ultimate goal of policy tuning is to eliminate false positives and noise and avoid overwhelming quantities of legitimate, but anticipated alerts. Tune your policies The default McAfee Network Security Platform policy templates are provided as a generic starting point; you will want to customize one of these policies for your needs. So the first step in tuning is to clone the most appropriate policy for your network and your goals, and then customize it. (You can also modify a policy directly rather than modifying a copy.) Some things to remember when tuning your policies: We ask that you set your expectations appropriately regarding the elimination of false positives and noise. A proper Network Security Platform implementation includes multiple tuning phases. False positives and excess noise are routine for the first 3 to 4 weeks. Once properly tuned, however, they can be reduced to a rare occurrence. When initially deployed, Network Security Platform frequently exposes unexpected conditions in the existing network and application configuration. What may at first seem like a false positive might actually be the manifestation of a misconfigured router or Web application, for example. McAfee Network Security Platform

66 3 Determine false positives Tune your policies Before you begin, be aware of the network topology and the hosts in your network, so you can enable the policy to detect the correct set of attacks for your environment. Take steps to reduce false positives and noise from the start. If you allow a large number of "noisy" alerts to continue to sound on a very busy network, parsing and pruning the database can quickly become cumbersome tasks. It is preferable to all parties involved to put energy into preventing false positives than into working around them. Exception objects are also an option where you can have custom rule sets specific to his environment. You can disable all alerts that are obviously not applicable to the hosts that you protect. For example, if you use only Apache Web servers, you can disable IIS-related attacks. False positives and noise The mere mention of false positives always causes concern in the mind of any security analyst. However, false positives may mean quite differently things to different people. In order to better manage the security risks using any IDS/IPS devices, it's very important to understand the exact meanings of different types of alerts so that appropriate response can be applied. With Network Security Platform, there are three types of alerts which are often taken as "false positives:" incorrectly identified events correctly identified events subject to interpretation by usage policy correctly identified events uninteresting to the user. Incorrect identification These alerts typically result from overly aggressive signature design, special characteristics of the user environment, or system bugs. For example, typical users will never use nested file folders with a path more than 256 characters long; however, a particular user may push the Windows' free-style naming to the extreme and create files with path names more than 1024 characters. Issues in this category are rare. They can be fixed by signature modifications or software bug fixes. Correct identification significance subject to usage policy Events of this type include those alerting on activities associated with Instant Messaging (IM), Internet Relay chat (IRC), and Peer to Peer programs (P2P). Some security policies forbid such traffic on their network; for example, within a corporate common operation environment (COE); others may allow them to various degrees. Universities, for example, typically have a totally open policy for running these applications. Network Security Platform provides two means by which to tune out such events if your policies deem these events uninteresting. First, you can define a customized policy in which these events are disabled. In doing so, the Sensor will not even look for these events in the traffic stream to which the policy is applied. If these events are of interest for most of the hosts except a few, creating exception objects to suppress alerts for the few hosts is an alternative approach. Correct identification significance subject to user sensitivity (also known as noise) There is another type of event which you may not be interested in, due to the perceived severity of the event. For example, Network Security Platform will detect a UDP-based host sweep when a given host sends UDP packets to a certain number of distinct destinations within a given time interval. Although you can tune this detection by configuring the threshold and the interval according to their sensitivity, it's still possible that some or all of the host IPs being scanned are actually not live. Some users will consider these alerts as noise, others will take notice because it indicates possible reconnaissance activity. Another example of noise would be if someone attempted an IIS-based attack against your Apache Web server. This is a hostile act, but it will not actually harm anything except wasting some network bandwidth. Again, a would-be attacker learns something he can use against your network: Relevance analysis involves the analysis of the vulnerability relevance of real-time alerts, using the vulnerability data imported to Manager database. The imported vulnerability data can 66 McAfee Network Security Platform 9.1

67 Determine false positives Tune your policies 3 be from Vulnerability Manager or other supported vulnerability scanners such as Nessus.The fact that the attack failed can help in zero in on the type of Web server you use. Users can also better manage this type of events through policy customization or installing attack filters. The noise-to-incorrect-identification ratio can be fairly high, particularly in the following conditions: the configured policy includes a lot of Informational alerts, or scan alerts which are based on request activities (such as the All Inclusive policy) deployment links where there is a lot of hostile traffic, such as in front of a firewall overly coarse traffic VIDS definition that contains very disparate applications, for example, a highly aggregated link in dedicated interface mode Users can effectively manage the noise level by defining appropriate VIDS and customize the policy accordingly. For dealing with exceptional hosts, such as a dedicated pentest machine, alert filters can also be used. Determine a false positive versus noise Some troubleshooting tips for gathering the proper data to determine whether you are dealing with a false positive or uninteresting event; What did you expect to see? What is the vulnerability, if applicable, that the attack indicated by the alert is supposed to exploit? Ensure that you capture valid traffic dumps that are captured from the attack attempt (for example, have packet logging enabled and can view the resulting packet log) Determine whether any applications are suspected of triggering the alert which ones, which versions, and in what specific configurations. If you intend to work with McAfee Technical Support on the issue, we ask that you provide the following information to assist in troubleshooting: If this occurred in a lab using testing tools rather than live traffic, please provide detailed information of the attack/test tool used, including its name, version, configuration and where the traffic originated. If this is a testing environment using a traffic dump relay, make sure that the traffic dumps are valid, TCP traffic follows a proper 3-way handshake, and so on. Also, please provide detailed information of the test configuration in the form of a network diagram. Export Alert Details and Packet Capture (within Attack Log). Be ready to tell Technical Support how often you are seeing the alerts and whether they are ongoing. McAfee Network Security Platform

68 3 Determine false positives Tune your policies 68 McAfee Network Security Platform 9.1

69 4 System 4 Log Files This section lists all log files available in McAfee Network Security Manager that can be used for troubleshooting. The log file contain all activities specific to its module. The size of each log file is smaller than 4 MB. To accommodate all logs when the log file reaches its maximum value, it automatically increments and the data from the current log file is moved to the incremented log file. Each log file can be incremented 13 times, and once all files are loaded, the data from the oldest log file is deleted. For instance, consider ems.log file reaches its maximum limit, then the file is automatically incremented to ems.log.1. The data from ems.log is moved to ems.log.1, and similarly when ems.log is loaded again, the data is moved from ems.log to ems.log.1. The data from ems.log.1 is moved to ems.log.2 automatically. This is repeated till the log files ems.log.13. This results in the latest logs available in ems.log and the oldest logs in ems.log.13. For example, you choose to tune your database: 1 Go to, Manager < Admin Domain Name > Maintenance Database Tuning Tune Now. 2 Click Start. When the tuning is in progress, the message Database tuning has started. Please consult the Tuning Status page for details appears. 3 Go to, Manager < Admin Domain Name > Maintenance Database Tuning Tuning Status. McAfee Network Security Platform

70 4 System Log Files 4 To view and export logs related to database tuning operation, go to Manager < Admin Domain Name > Troubleshooting System Log. 5 Select dbtuning.log from the drop-down list. 6 Click Export. The log file is copied to your system that contains all messages in the log from the start time of database tuning until the end. For more information about system logs, see McAfee Network Security Platform 9.1 Manager Administration Guide. Manager Modules Log Files Description ACM sent.log Logs related to ACM server. Alert Processing acltlv.log Logs related to firewall events that are forwarded from the Manager to the Sensor. acm.log akka_actors.log alertcounts.log alertinstcounts.log alertl7counts.log alertpktcorrelation.log alert_process.log alertthrottling.log alertthrottled.log appatlv.log aqcollector.log aqcount.log aquptprocessor.log alt_chnl_event_cnt.log Logs related to alerts generated in Manager to know the alert rate. Logs alerts from the Sensor through alert processing module. Logs related to alert counts received from the Manager. Logs related to alert inserts. Logs related to processing of layer7 data. Logs related to alerts packets. Logs related to the process of traffic detection/ prevention at the Sensor level, and the alerts getting generated on Manager. Logs related to alert traffic information from the Sensor to the Manager. Logs related to alert traffic information for multiple attacks that are combined into a single event. Logs related to application alert events. Logs related to alert queue collector. Logs related to alert queues. Logs related to alert queue update events from the Sensor. Logs related to alert channel information. 70 McAfee Network Security Platform 9.1

71 System Log Files 4 Manager Modules Log Files Description altupdatecount.log atlv.log bandwidth_savings.log BulkFileTransfer.log bwatlv.log epo.log insertactors.log updateactors.log wacm.log vips.log Log alerts related to update count of layer7, Endpoint Intelligence Agent, McAfee Logon Collector, etc. Logs byte data sent from the Sensor to the Manager. Logs related to bandwidth traffic information for multiple attacks that are combined into a single event. Logs related to malware policies that are forwarded from the Sensor to the Manager. Logs related to bandwidth alert events that are forwarded from the Manager to the Sensor. Logs related to epo service post integration with the Manager. Logs new alerts from the Sensor through alert processing module. Logs the existing alerts from the Sensor through alert processing module. Logs related to Attack Log of the Central Manager. Logs related to Virtual Machine and Intel Security Controller Manager. Central Manager-Manager emssync.log Logs that are synched between Central Manager and the local Manager. nacm.log nscm.log Logs related to communication between the Manager and the Central Manager. Logs related to all activities within the Central Manager. Cloud cim.log Logs related to cloud activity within the Manager. cimweb.log Logs related to connections between the Manager, Controller, and Sensors. Compiler compileroutput.log Logs related to signature set compilation by the Manager. Dashboard tcc_debug.log Logs related to dashboard debug logs of the Manager. tcc_query.log Log queries related to the Dashboard page of the Manager. Database dbbackup.log Logs related to database backup files. dbcheck.log dbconsistency.log dbtuning.log pruning.log Logs created while upgrading the Manager to check database availability or consistency. Logs related to inconsistency during Manager upgrade. Logs related to database tuning. Logs related to deletion of alert data from MySQL database. Device Management appviz.log Logs related to application visualization. dpinfo_epo.log Logs information like the device type, operating system, and the source of the profile when the McAfee epo is integrated with the Manager. McAfee Network Security Platform

72 4 System Log Files Manager Modules Log Files Description Device Performance Monitoring dpinfo_ips.log dpinfo_ntba.log emsks, emsks2048, emsksstrong2048 emsperfstats.log nbaalertquey.log perfmon.log vmidcactivities.log pefrmonatlv.log Logs information like the device type, operating system, and the source of the profile that is extracted from the IPS Sensor and is forwarded to the Manager. Logs information like the device type, operating system, and the source of the profile when the NTBA is integrated with the Manager. Logs related to certificates imported from the Manager to the Sensor. Logs related to performance statistics of a device that are attached to the Manager. Logs related to alerts of the NTBA Appliance. Logs related to performance monitoring. Logs related to cache, resources, and database entries of virtualization. Logs related to Sensor performance alerts. High Risk Endpoints risk_score.log Logs related to high risk endpoints based on their risk score. Installation Initdb.log Logs related to initialization of database after the installation of the Manager. Java Virtual Machine crash.log Logs related to crash related activities that are created using Java virtual machine. Malware malware.log Logs related to all malware activities. Manager APIs sdkpayload.log Logs related to the request and responses with the payload of the Manager. Manager Disaster Recovery mdr.log Logs related to the communication, synchronization, and switchover of the Manager Disaster Recovery pair. Manager Memory emsmem.log Logs related to memory management in the Manager (Total memory, used memory, and free memory). Manager Startup Checks checks.log Logs that are checked when the Manager is restarted manually. McAfee Logon Collector Integration McAfee Vulnerability Manager Integration mlcsensor.log mvm.log relevance.log Logs related to MLC integration where the information of users, groups, etc. from the Active Directory is sent to the Manager. Logs related to McAfee Vulnerability Manager integration with the Manager. Logs related to alert relevancy post integration with the McAfee Vulnerability Manager. NTBA Appliance ntba.log Logs related to the integration and communication between the Manager and NTBA. Overall Manager Logs and Console Logs nbaatlv.log ems.log emsout.log Logs related to NTBA-Manager queries. All logs related to the Manager. Logs related to the console output of the Manager. Packet Channel pkt_chnl_event_cnt.log Logs related to packet log channel events. Policy ips_policy.log Logs related to the addition, modification, and deletion of IPS policy. 72 McAfee Network Security Platform 9.1

73 System Log Files 4 Manager Modules Log Files Description Quarantine hitask.log Logs related to the attack log of the quarantine module. hostevent.log host_isolation.log Logs related to the quarantine host events that are added, updated, and deleted. Logs all cache information of the quarantine host from the Sensor. Report Generation reportgen.log Logs related to report generation. Scheduler scheduler.log Logs related to schedulers running in the Manager. Signature Set sigfile.log Logs related to signature file deploy/compilation activity. sigset.log Logs related to signature set download from update server/local system. Solr Database high_risk_solr.log Logs related to Solr based details in Threat Explorer about high risk threats. initdbsolr solr.log solr_nsm.log Logs related to initialization activity occurring in Solr database. Logs related to configuration and startup details of Solr database. Logs the communication between the Solr database and the Manager. SSL Decryption ssl_decryption.log Logs related to SSL key information. Troubleshooting health_check.log Logs related to health checks of the Manager. Watchdog watchdog.log Logs the unrecoverable failure that is detected in the Manager. McAfee Network Security Platform

74 4 System Log Files 74 McAfee Network Security Platform 9.1

75 5 System fault messages This section lists the system fault messages visible in the Manager Operational Status viewer, organized by severity, with messages first, then Errors, then Warnings, then Informational messages. You can view the faults from the Operational Status menu in Manager. For more information, see fault messages for Vulnerability Manager Scheduler and Automatic report import using Scheduler, McAfee Network Security Platform Integration Guide. The fault messages you might encounter, their severity, and a description, including information on what action clears the fault are briefed. In many cases, the fault clears itself if the condition causing the fault is resolved. In cases where the fault does not clear, you must acknowledge or delete it to dismiss it. For Sensor faults, go through Manager and Sensor faults. Similarly for NTBA issues, refer to Manager and NTBA faults. Contents Manager faults Sensor faults NTBA faults Manager faults The Manager faults can be classified into critical, error, warning, and informational. The Action column provides you with troubleshooting tips. Manager critical faults These are the critical faults for a Manager and Central Manager. Fault Severity Description/Cause Action AD groups size exceeded Approaching max allowable table size AD groups size limitation Currently Manager-MLC integration supports only 2,000 AD groups for NS-series and Virtual IPS and 10,000 AD groups for M-series which has exceeded now. Sensor behavior cannot be guaranteed, if these numbers are not brought down. <Percentage value>% capacity. Current largest table size: <Table size value>. To ensure successful database tuning, Manager begins to drop alerts and packet logs. Currently Manager-MLC integration supports only AD groups. Sensor cannot accommodate AD groups Reduce the number of admin domain user groups to be within the specified limit. Please perform maintenance operations to clean and tune the database. Reduce the number of groups in Active Directory. McAfee Network Security Platform

76 5 System fault messages Manager faults Fault Severity Description/Cause Action Audit failed and Manager shutting down Callback detectors deployment failure <Sensor_name> configuration deployment failure Device re-discovery failure Cannot start control channel service Cannot start control channel service Failed to create command channel association Cluster software mismatch status The Manager is not able to log an audit and is shutting down. Cannot deploy the callback detectors to device <Sensor_name>. See system log for details. The attempt by the Manager to deploy the configuration to device failed during device re-initialization. The device configuration is now out of sync with the Manager settings. The device may be down. See the system log for details. The upload of device configuration information for device failed again after being triggered by the status polling thread. The device is not properly initialized. The Manager's key file is unavailable and possibly corrupted. This fault could indicate a database corruption. Check ems log to determine the reason for audit failure. Occurs when the Manager cannot push the BOT DAT file to the Sensor. This can result from network connectivity issue. The Manager cannot deploy the original device configuration during device re-initialization. This can also occur when a failed device is replaced with a new unit, and the new unit is unable to discover its configuration information. This fault occurs as a second part to the device discovery failure fault. If the condition of the device changes such that the Manager can again communicate with it, the Manager again checks to see if the device discovery was successful. This fault is issued if discovery fails, thus the device is still not properly initialized. Check to ensure that the device has the latest software image compatible with the Manager software image. If the images are incompatible, update the device image via a tftp server. If you have a database backup file (and think it is not corrupted) you can attempt a Restore. If this does not work, you may need to manually repair the database. Contact McAfee Technical Support. Can't obtain the Manager certificate If you have a database backup file (and think it is not corrupted), you can attempt a Restore. If this does not work, try executing the Database Maintenance action. Failed to create command channel association. The device is not properly initialized. This error indicates a failure to create a secure connection between the Manager and the device, which can be caused by loss of time synchronization between the Manager and device or that the device is not completely online after a reboot. The software versions on the cluster primary and cluster secondary are not the same. Restart the Manager and check the device operating status to ensure that the device health and status are good. Check for errors in software image download to cluster. 76 McAfee Network Security Platform 9.1

77 System fault messages Manager faults 5 Fault Severity Description/Cause Action Database backup failed The Manager was unable to back up its database. Error Message: <exception string>. Disk space warning When the utilized disk space in the Manager server exceeds 89% of the capacity. Example: Disk space used = 90% invokes a critical fault. This message indicates that an attempt to manually back up the database backup has failed. The most likely cause of failure is insufficient disk space on the Manager server; the backup file may be too big. Check your disk capacity to ensure there is sufficient disk space, and try the operation again. Make sure that the drive where the Manager is installed has sufficient disk space. Please prune and tune the database. Dropping alerts and packet logs <Percentage value>% capacity. Dropping alerts and packet logs. DXL Service is down The DXLService is down due to: Failure to connect to the epolicy Orchestrator Server. Failure to connect to the Data exchange Layer. Failure to start the McAfee Agent service. Failure to start the Data exchange Layer service. Please perform maintenance operations to clean and tune the database. Check the connectivity between IPS and epo, or check the logs. Check the connectivity between IPS and Data exchange Layer, or check the logs. Check the logs. Check the logs. Fan error The fan has failed. Check the fan LEDs on the front of the device to ensure all internal fans are functioning. The fault clears when the temperature falls below its internal low temperature threshold. Firewall connectivity failure Gateway Anti-Malware engine initialization failed The connectivity between the device and the firewall is down. Check Packet Capture configuration is down. Gateway Anti-Malware Engine Initialization failed due to some internal error. Gateway Anti-Malware Engine could not be initialized as the required signature files are not available. This fault can occur in situations where, for example, the firewall machine is down, or the network is experiencing problems. Ping the firewall to see if the firewall is available. Contact your IT department to troubleshoot connectivity issues. Check the logs. Try enabling automatic signature update option or downloading signatures manually using cli. McAfee Network Security Platform

78 5 System fault messages Manager faults Fault Severity Description/Cause Action Gateway Anti-Malware signature download failure Gateway Anti-Malware signature download failed because of signature update failed. Gateway Anti-Malware signature download failed because of signature is not available. Gateway Anti-Malware signature could not be downloaded because of update server connection issue. Gateway Anti-Malware signature validation failed. Gateway Anti-Malware signature could not be downloaded as update server is not reachable. Gateway Anti-Malware signature could not be downloaded as DNS resolution failed for Anti-Malware update server. Gateway Anti-Malware signature could not be downloaded because proxy server is not reachable. Gateway Anti-Malware signature could not be downloaded because proxy authentication failed Check the logs. Try enabling automatic signature update option or downloading signatures manually using CLI. Check the network connection. Check the network connection. Configure appropriate credentials for proxy. Geo IP location file download failure Cannot push Geo IP location file to device <Sensor_name>. See system log for details. Occurs when the Manager cannot push the Geo IP Location file to a Sensor. Could result from a network connectivity issue. GTI File Reputation DNS Error Connectivity to Artemis server is restored. Error connecting to local DNS server"; Malformed DNS response from Artemis server"; You may need to correct the Artemis DNS configuration. Error connecting to Artemis server"; Information not available in Artemis server"; Sensor internal memory error on connecting to Artemis server"; Sensor internal query error on connecting to Artemis server"; Unknown internal error on connecting to Artemis server"; Hardware error This is a Generic Hardware related error in the device. Incompatible custom attack One or more custom attack definition is incompatible with the current signature set. Error message: <exception string>. Check the device to know more. The Custom Attack Editor indicates which definitions are incompatible. (Incompatibility could result from attack or signature overlap.) Update the definition in the Custom Attack Editor and try again. 78 McAfee Network Security Platform 9.1

79 System fault messages Manager faults 5 Fault Severity Description/Cause Action Incompatible UDS signature Link failure of <Sensor> A user-defined signature (UDS) is incompatible with the current signature set. The link between this port and the external device to which it is connected is down. Low JVM Memory The Manager is experiencing high memory usage. Available system memory is low. Packet log save failed The Manager was unable to access the packet log tables in the database. Error Message: <exception string>. Power supply error There is a power supply error to the device. Restore the power supply to clear this fault. <Sensor_name> configuration deployment failure Sensor attack detection error Simultaneous FIPS role logon The attempt by the Manager to deploy the configuration to device <Sensor_name> failed during device re-initialization. The device configuration is now out of sync with the Manager settings. The device may be down. See the system log for details. The Sensor attack detection stopped on one or more engines. Device reboot may be required to resolve the issue. Users from all three FIPS mode roles (Audit Administrator, Crypto Administrator and Security Administrator) have logged onto the Manager at the same time. Software error A recoverable software error has occurred within the device. A device reboot may be required. You will need to edit your existing UDS attacks to make them conform to the new signature set definitions. Bring up the Custom Attack Editor (IPS Settings Advanced Policies Custom Attack Editor) and manually performing the edit / validation. This fault clears when a subsequent UDS compilation succeeds. This is a connectivity issue. Contact your IT department to troubleshoot network connectivity. This fault clears when communication is re-established. Reboot the Manager server. An attempt to save packet log data to the database failed, most likely due to insufficient database capacity. Please ensure that the disk space allocated to the database is sufficient, and try the operation again. Check power to the outlet providing power to the power supply; if a power interruption is not the cause, replace the failed power supply. The Manager cannot push the original device configuration during device re-initialization. This can also occur when a failed device is replaced with a new unit, and the new unit is unable to discover its configuration information. Message generated based on the Sensor attack detection error. A device reboot may be required. This message is informational. This error may require a reboot of the device, which may then resolve the issue causing the fault. McAfee Network Security Platform

80 5 System fault messages Manager faults Fault Severity Description/Cause Action Temperature error Device temperature is outside its normal range. Callback detectors deployment failure CADS certificate download failure Database Tuning error Failed connection attempt to McAfee GTI Server. SNMP query Device reboot required Signature set IPS signature set import failure Cannot deploy the callback detectors to device. Occurs when the Manager cannot push the BOT DAT file to the Sensor. This can result from network connectivity issue. Cannot push CADS certificate to device. Occurs when the Manager cannot push the CADS Certificate to a device. Could result from a network connectivity issue. Database tuning failed due to the error. Any connectivity issues with the GTI Server will generate this fault, including DNS name resolution failure, GTI Server failure, proxy server connectivity failure, network connectivity failure, and even situations where the network cable is detached from the Manager server. This fault can be due to two reasons - SNMPD process restart exceeded the maximum threshold or due to communication failure in the management processor. The attempt to import the IPS signature set into the Manager was not successful. Memory Error This is a Generic Memory related error in the device. Signature set download failure Server communication The attempt by the Manager to deploy the signature set to device <Sensor_name> failed. See the system log for details. (The Manager will continue to attempt deployment.) Check the fan LEDs on the front of the Sensor to ensure all internal device fans are functioning. This fault will clear when the temperature returns to its normal See system log for details. See system log for details. Please rectify the error and try again. This fault clears when communication with the GTI Server is restored. Manually reboot the Sensor, which may then resolve the issue causing the fault. A valid signature set must be present before any action can be taken in Network Security Platform. Check the device to know more. Occurs when the Manager cannot push the signature set file to a Sensor. Could result from a network connectivity issue. 80 McAfee Network Security Platform 9.1

81 System fault messages Manager faults 5 Fault Severity Description/Cause Action Communication failure with the Network Security Platform Update Server The Manager is unable to communicate with the Update Server. Any connectivity issues with the Update Server will generate this fault, including DNS name resolution failure, Update Server failure, proxy server connectivity failure, network connectivity failure, and even situations where the network cable is detached from the Manager server. This fault clears when communication with the Update Server succeeds. If your Manager is connected to the Internet, ensure it has connectivity to the Internet. Communication failure with the proxy server Communication failure with the McAfee Update Server Manager Disaster Recovery(MDR) Conflict in MDR IP address type Conflict in MDR Mode Conflict in MDR Pair IP address Conflict in MDR Status The Manager is unable to communicate with the proxy server. (This fault can occur only when the Manager is configured to communicate with a proxy server.) The Manager is unable to establish network connectivity with the Update Server. See system log for details. Device detected a conflict with MDR IP Address type as <IPv4/IPv6> instead of type <IPv6/IPv4> MDR mode: Manager IP address / MDR status. Generic device error MDR - system time synchronization error Device detected a conflict with MDR-Pair IP Address: Manager-IP address / MDR action. Sensor found a conflict with MDR-Status; ISM-IPAddress / MDR-Status as <ISMAddress> / Up/ Down and <PeerISMAddress> / Up/ Down The two Managers in an MDR pair must have the same operating system time. Ensure both Managers are in sync with the same time source. (Otherwise, the device communication channels will experience disconnects.) This fault clears when communication to the Update Server through the proxy succeeds. Any connectivity issues with the Update Server will generate this fault, including DNS name resolution failure, Update Server failure, proxy server connectivity failure, network connectivity failure, and even situations where the network cable is detached from the Manager server. This fault clears when communication with the Update Server is restored. You may need to correct the MDR configuration. There is a problem with MDR configuration. Check your MDR settings. You may need to correct the MDR configuration. There is a problem with MDR configuration. Check your MDR settings. Review device status. Ensure both Managers are in sync with current time. McAfee Network Security Platform

82 5 System fault messages Manager faults Fault Severity Description/Cause Action MDR pair changed <NSM Name or NSCM Name> Manager <Manager_name> MDR error The Manager_name has moved to MDR mode, and this Manager cannot handle the change The < NSM Name or NSCM Name> Manager is <previousprimaryipaddr/ previoussecipaddr> and now primary and secondary are <presentprimaryipaddr/ presentsecipaddr>. The Manager detected in standby mode. The peer Manager is either not reachable or does not have data. The Central Manager server is in Standby mode. The Manager server which is configured by Central Manager goes into secondary Standby mode after MDR creation or before data dump from primary to secondary takes place. The Manager server configured by Central Manager is in Active mode but is in a disconnected state and therefore cannot communicate with Central Manager. If Manager is reconnected and Central Manager is in Standby mode, then the Peer Central Manager does not have Manager configuration. Corrected the MDR pair. If the above managers which has moved to MDR mode is McAfee Network Security Central Manager, then make the Central Manager which as all the McAfee Network Security Managers data as Active or reform MDR, if tbe MDR moved manages is McAfee Network Security Manager, then make the Manager which has Central Manager data as active or make sure that active Manager has Central Manager configuration data. If the Central Manager server has moved to Standby, then the Central Manager with latest Manager information is moved to Active mode or recreate MDR pair. If the Manager has moved to Standby, then make the Manager with Central Manager information as Active or make sure that active Central Manager or Manager has latest configuration data. The Manager has moved to MDR mode, and this Manager cannot handle the change MDR configuration conflict for manager <Manager_name> The Manager server is in Standby mode(mdr action) and active peer Manager does not have Central Manager information The configuration between an existing MDR pair (Manager 1 and Manager 2 - both Managers are Central Manager configured) is disabled and a new MDR pair configuration has been created with Manager 2 and Manager 3. Manager 2 is in Standby mode and Manager 3 does not have Central Manager configuration If the Manager server has moved to Stand by, then make Central Manager with latest Manager information as Active or reform MDR; if the Manager has moved to Standby, then make the Manager with Central Manager information as Active or make sure that active Central Manager or Manager has latest configuration data. Dissolve and recreate an MDR pair. 82 McAfee Network Security Platform 9.1

83 System fault messages Manager faults 5 Fault Severity Description/Cause Action The MDR connection is down. Vulnerability Manager configuration Vulnerability data import from Vulnerability Manager failed On demand scan failed Failed to import a non-mvm vulnerability assessment report Advanced Threat Defense connectivity Communication failure with the Advanced Threat Defense device Advanced Threat Defense certificate download failure Central Manager The communication from <Primary/ Secondary> to <Secondary/ Primary> is down. Scheduled import of vulnerability data failed from FoundStone database server into ISM database table Scan failed because the connection to Vulnerability Manager Scan Engine was refused. <Connection has been reset by Foundstone Server. Unable to communicate with Foundstone Server. FoundScan Engine may not be reachable or Failed to resolve Fully Qualified Domain Name SSL Handshake with FoundScan Engine Failed.>, <Please check if the FS API Service port has been blocked by Firewall or if valid port has been specified. Please check the ems log for more details. Try adding the engine host name entry to the DNS Server or Try adding an entry for engine IP and host name in hosts file located in windows\system2\drivers\etc. No Trusted Certificate found, Please check the Foundstone version and certificates used for communication. Please check if the FS API Service port has been blocked by Firewall or if valid port has been specified.> The Manager is unable to establish connectivity with the Advanced Threat Defense (ATD) device. See system log for details. This fault will be cleared when connection is restored. Cannot push Advanced Threat Defense certificate to device <Sensor_name>. See system log for details. Please look into the connection statuses of the systems and manager logs. This message is informational. See the fault message The report file may not have been found or is in an invalid format. Any connectivity issues with the Advanced Threat Defense (ATD) will generate this fault, including ATD device failure, network connectivity failure, and even situations where the network cable is detached from the Manager server. This fault clears when communication with the ATD is restored. Occurs when the Manager cannot push the Advanced Threat Defense to a device. Could result from a network connectivity issue. McAfee Network Security Platform

84 5 System fault messages Manager faults Fault Severity Description/Cause Action Central Manager custom attack synchronization failed Deleted Manager information Manager <Manager_name> unreachable Manager <Manager_name> MDR error MDR configuration conflict for Manager <Manager_name> Port conflict in Central Manager custom attack definition synchronization. Port <port_name> is already in use. Free this port for Central Manager synchronization to succeed. The Manager information <mgr_ip_address> has been deleted. Reason: <The action Stand alone to MDR is received where the peer is already having configured <standby_manager> and hence deleting, mgr info of <standby_managers> this LM will be no longer trusted>. Connectivity with Manager <Manager_name> has been lost. Manager <Manager_name> detected in standby mode. The peer Manager <peer_manager_name> is either not reachable or does not have <configuration> data. The Manager <Manager_name> used to be the <previousip>/ <previouspeerip> MDR configuration and is now the <currentip>/ <currentipspeer> MDR configuration, and the primary Manager <currentip> is not active and its peer <currentipspeer> does not have <ICC> configured. Manager <primary_mgr_ip> is in <standalone/mdr pair> mode, and its peer Manager <secondary_mgr_ip> is in <standalone/mdr pair> mode. Free this port for McAfee Network Security Central Manager synchronization to succeed. See the fault message. Indicates that the McAfee Network Security Central Manager and McAfee Network Security Managers cannot communicate each other, the connection between these two may be down, or the Manager has been administratively disconnected. Troubleshoot connectivity issues: 1) check that a connection route exists between the Network Security Central Manager and the McAfee Network Security Manager; 2) Access to the McAfee Network Security Manager/McAfee Network Security Central Manager directly. This fault clears when the Manager detects the Sensor again. If the above managers which has moved to MDR mode is McAfee Network Security Central Manager, then make the Central Manager which as all the Network Security Managers data as Active or reform MDR, if tbe MDR moved manages is McAfee Network Security Manager, then make the Manager which has Central Manager data as active or make sure that active Manager has Central Manager configuration data. Correct the MDR pair. 84 McAfee Network Security Platform 9.1

85 System fault messages Manager faults 5 Fault Severity Description/Cause Action MDR pair changed Configuration setting for the Local Manager or Central Manager has changed. The IP addresses of the underlying MDR pair has changed. The fault displays the new IP addressees of the primary and secondary Manager. The Manager <Manager_name> is not reachable Indicates that the Network Security Central Manager and Manager cannot communicate each other, the connection between these two may be down, or the Manager has been administratively disconnected. Correct the MDR pair. 1 Check that a connection route exists between the Network Security Central Manager and the Manager. 2 Access the Manager/Network Security Central Manager directly. This fault clears when the Manager detects the Sensor again. No communication exists between Central Manager and Manager. Indicates that the Central Manager server and Manager cannot communicate with each other. The connection between these two may be down, or Central Manager has been administratively disconnected. 1 Check that a connection route exists between the Central Manager and Manager; 2 Access the Manager directly. This fault clears when the Manager detects the Sensor again. Central Manager custom attack synchronization failed Port conflict in McAfee Network Security Central Manager UDS synchronization. Port already in use by UDS. Free this port for Central Manager synchronization to succeed. Free this port for McAfee Network Security Central Manager synchronization to succeed. McAfee Network Security Platform

86 5 System fault messages Manager faults Fault Severity Description/Cause Action Trust request failure The trust request has failed. Error message: <exception string>. The trust request has failed because Manager <McAfee Network Security Central Manager> may not be reachable. Please confirm the Manager IP address and that its service is up and running. The trust request has failed because manager <McAfee Network Security Central Manager> has not yet configured. The trust request has failed because the <McAfee Network Security Central Manager> already has a trust using the configured name. The previous trusted with <McAfee Network Security Central Manager> may represent Manager or another. The solution is to delete and re-add the configuration with <McAfee Network Security Central Manager>. The trust request has failed because the configured Manager is in MDR mode, and no active <McAfee Network Security Central Manager> Manager has been detected with which to establish the trust. The trust request failed due an internal error. See additional text information. Alert queue threshold alarms Alert save failed The Manager was unable to access the alert tables in the database. Error Message: <exception string>. Alert capacity threshold exceeded Database connectivity problems <Percentage value>% capacity. Number of alerts: <Number of alerts> (Database maintenance and tuning is required.) The Manager is having problems Communicating with it's database. Error Message: <exception string>. An attempt to save alerts to the database failed, most likely due to insufficient database capacity. Please ensure that the disk space allocated to the database is sufficient, and try the operation again. Please perform maintenance operations to clean and tune the database. Please check if the database service is running and connectivity is present. Database connectivity lost The Manager has lost connectivity with its database. Error Message: <exception string> Please check the DB Connectivity. Database integrity error Unable to locate index file for table: <index_file_name>. Repair the corrupt Database tables 86 McAfee Network Security Platform 9.1

87 System fault messages Manager faults 5 Fault Severity Description/Cause Action Alert capacity threshold exceeded As with the "Approaching alert capacity threshold" fault message, this message indicates the percentage of space occupied by alerts in the database. This message appears once you have exceeded the alert threshold specified in Manager Maintenance. Perform maintenance operations to clean the database. Delete unnecessary alerts, such as alerts older than a specific number of days. Failure to create additional space could cause undesirable behavior in the Manager. Licensing License expires soon Indicates that your Network Security Platform license is about to expire; this fault first appears 7 days prior to expiration. License expired Indicates that your Network Security Platform license has expired. Contact licensing@mcafee.com for a current license. This fault clears when the license is current. Please contact Technical Support or your local reseller. Contact licensing@mcafee.com for a current license. This fault clears when the license is current. Virtual IPS Sensor Insufficient Licenses Detected When the number of virtual IPS Sensors installed crosses the licenses purchased, this fault appears in the Manager. Import the required licenses to the Manager before installation, or please contact Technical Support or your local reseller. Manager error faults These are the error faults for a Manager and Central Manager. Fault Severity Description/Cause Action Anti-virus DAT file error Error A Device is detecting an error on av-dat file segment <segment_id>. The segment error cause is <unknown cause>, and the download type is <init/ update>. Device in bad health Error Please check the running status of device <device_name>. This fault occurs with any type of device software failure. (It usually occurs in conjunction with a software error fault.) epo Server Connection Error Error The Manager has no connection to the configured epo server. Make sure that the Sensor is online and in good health. The Manager will make another attempt to push the file to the Sensor. This fault will clear when the av-dat file is successfully pushed to the Sensor. If this fault persists, we recommend that you perform a Diagnostic Trace and submit the trace file to Technical Support for troubleshooting. Indicates that the Manager has no connection to the configured epo server. This can be due to network connectivity issues, incorrect credentials, or incorrect configuration. Refer to the epo integration documentation for more information. McAfee Network Security Platform

88 5 System fault messages Manager faults Fault Severity Description/Cause Action Export of custom policy error Firewall filter application error Error Error Error: "Script takes long time". Click Stop the script. Custom policies are exported forever unsuccessfully when using Internet Explorer 10 in combination with Windows Server 2008/2012. Error applying firewall filter <FILTER: [AttackID=<attackId>] [VidsID=<vidsId>] [SrcIP=<srcIP>] [DstIP=<dstIP>] [Port=<port>] [Protocol=<protocol>] [type=<typestring>]> An attempt to apply this firewall filter from the device to the firewall has failed. Failure reason: <Exceed Max Number of Filters Error Applying Filter Timeout During Adding Filter Unknown Host Isolation Error#> Disable Internet Explorer Enhanced Security Configuration. To disable, go to Control Panel Add or Remove Programs Add/ Remove Windows Components, the Windows Components Wizard window opens. Select the Internet Explorer Enhanced Security Configuration and click Next. Check your firewall configuration. If possible, increase the maximum number of available filters. Ensure connectivity between the Sensor and the firewall. IP: IPS quarantine block nodes exhausted Error When the number of quarantine rules exceed the permitted limit, the Central Manager raises a fault message to the Manager when the number of quarantine rules exceeds the maximum permitted limit. This can be viewed as an alert in the Attack Log page. For more information on quarantine and remediation functionality, see Quarantine settings. You can have up to 1000 Quarantine rules for an IPv4 addresses, and up to 500 Quarantine rules for IPv6 addresses. MLC Server Connection Error Scheduled botnet detector deployment failure Error Error Manager has no connection to configured MLC server. The Manager was unable to perform the scheduled botnet detector deployment to the device. This is because of connectivity issues between the Manger and the device, or invalid botnet detectors. Incident update failed Error The Manager is unable to accept more incidents from the Incident Generator because you have reached the maximum number of incidents that can be accepted by the Manager. Mail server and queue Indicates that the Manager has no connection to the configured MLC server. This can be due incorrect certificate import, network connectivity issues or issues internal to the MLC server. Refer to the MLC integration documentation for more information. This fault clears automatically once deployment is successful. Delete old incidents to provide room for incoming incidents. 88 McAfee Network Security Platform 9.1

89 System fault messages Manager faults 5 Fault Severity Description/Cause Action Alert queue full Error The Manager has reached its limit <queue_size_limit> for alerts that can be queued for storage in the database. (<no_of_alerts> alerts dropped) server unreachable Error Connection attempt to server <mail server> failed. Error: <Messaging Exception String>. Packet log queue full Error The Manager packet log queue has reached its maximum size of <pktlog_queue_size_limit>. (<no_of_pktlogs_dropped> packets) Error The Manager packet log queue has reached its maximum size (default 200,000 alerts), and is unable to process packet logs until there is space in the queue. Packet capturing error Error The device detected an error connecting to the SCP server while attempting to transfer a packet capture file. The device is unable to send the packet capture file via SCP. The device has stopped capturing packets due to insufficient internal memory. The device experienced an internal error while performing the packet capture. The device is unable to authenticate with target server to transfer a packet capture file. Indicates that the Manager has reached the limit (default of 100,000) of alerts that can be queued for storage in the database. Alerts are being detected by your Sensor(s) faster than the Manager can process them. This is evidence of extremely heavy activity. Check the alerts you are receiving to see what is causing the heavy traffic on the Sensor(s). This fault indicates that the SMTP mailer host is unreachable, and occurs when the Manager fails to send an notification or a scheduled report. This fault clears when an attempt to send the is successful. The Manager packet log queue has reached its maximum size (default 200,000 packets), and is unable to process packets until there is space in the queue. Packets are being detected by your Sensor(s) faster than the Manager can process them. This is evidence of extremely heavy activity. Check the packets you are receiving to see what is causing the heavy traffic on the Sensor(s). This is evidence of extremely heavy activity. Check the packet logs you are receiving to see what is causing the heavy traffic on the Sensor. Also see the suggested actions for the alert Unarchived, queued alert count full. Device shall attempt to automatically recover. Check Packet Capture configuration. McAfee Network Security Platform

90 5 System fault messages Manager faults Fault Severity Description/Cause Action Queue size full Error The Manager alert queue has reached its maximum size (default 200,000 alerts), and is unable to process alerts until there is space in the queue. Alerts are being detected by your Sensor(s) faster than the Manager can process them. This is evidence of extremely heavy activity. Syslog Server unreachable Unarchived, queued packet log count full Error Error Update device configuration Device configuration update failed Alert capacity monitor Approaching alert capacity threshold Approaching alert capacity Error Error Error Alert queue threshold alarms The Manager alert slow consumer (SNMP Trap forwarder) queue has reached its maximum size of alerts dropped) Connection attempt to Syslog server <server address> failed. Error: <Syslog TCP connection failed>. Indicates that the Manager has reached the limit (default of 100,000) of packet logs that can be queued for storage in the database. Also indicates the number of dropped packet logs. A Device configuration update failed to be pushed from the Manager server to the Sensor. <Percentage_value>% capacity. Number of alerts: <number_of_alerts>. (Database maintenance and tuning is recommended.) Current database size is <x> GB and disk capacity is <y>. Alert pruning failure Error The Manager was unable to prune alerts and packet logs during normal maintenance. Error Message: <exception string>. Device upload scheduler Check the alerts you are receiving to see what is causing the heavy traffic on the Sensor(s). The Manager alert slow consumer (SNMP Trap forwarder) queue has reached its maximum size, and is unable to forward alerts until there is space in the queue. Alerts are being detected by your Sensor(s) faster than the Manager can process them. This is evidence of extremely heavy activity. Check the alerts you are receiving to see what is causing the heavy traffic on the Sensor(s). This fault indicates that the Syslog Server is unreachable, and occurs when the Manager fails to send an syslog notification. This fault clears when an attempt to send the syslog is successful. Indicates that the Manager has reached the limit (default of 100,000) of packets that can be queued for storage in the database. Packets are being detected by your Sensor(s) faster than the Manager can process them. This is evidence of extremely heavy activity. Check the packets you are receiving to see what is causing the heavy traffic on the Sensor(s). Please see ems.log file to isolate reason for failure. Please perform maintenance operations to clean and tune the database. Check your Database Connections 90 McAfee Network Security Platform 9.1

91 System fault messages Manager faults 5 Fault Severity Description/Cause Action Scheduled callback detector deployment failure Scheduled IPS signature set deployment failure Error Error Real-time update scheduler Real-time Scheduler -signature set update from Manager to Sensor failed Scheduled real-time update from Update Server to Manager failed Scheduled BOT DAT signature set download failure Scheduled IPS signature set download failure Error Error Error Error The Manager was unable to perform the scheduled BOT DAT deployment to the device <Sensor_name>. The Manager was unable to perform the scheduled signature set deployment to the device. Error Message: <exception string>. Unable to make scheduled signature set update from the Manager to Sensor. Unable to make scheduled update of Manager signature sets. This fault can indicate for example, problems with network connectivity between the Update Server and the Manager or between the Manager and the Sensor; invalid update sets; or update sets that were not properly signed. The Manager is unable to perform the scheduled BOT DAT signature set download from the GTI Server. Error Message: <exception string>. The Manager is unable to perform the scheduled signature set download from the Update Server. Error Message: <exception string>. Queue size full Error The Manager alert queue has reached its maximum size (default 200,000 alerts), and is unable to process alerts until there is space in the queue. Alerts are being detected by your Sensor(s) faster than the Manager can process them. This is evidence of extremely heavy activity. Indicates that the Manager was unable to perform the scheduled BOT DAT deployment to the Sensor. This is because of network connectivity between the Manager and the Sensor, or an invalid DAT file. This fault clears when an update is sent to the Sensor successfully. This fault can indicate problems with network connectivity between the Manager and the Sensor, incompatibility between the update set and the Manager software, compilation problems with the signature update set, or an invalid update set. This fault clears when an update is sent to the Sensor successfully. This fault can indicate problems with network connectivity between the Manager and the Sensor. This fault clears when a signature update is applied successfully. This fault clears when a signature update is applied successfully. This fault can indicate problems with network connectivity between the GTI Server and the Manager, invalid BOT DAT file. This fault clears automatically once a new signature set update is successfully installed. This fault can indicate problems with network connectivity between the Update Server and the Manager ; invalid update sets; or update sets that were not properly signed. This fault clears when a signature update is applied successfully. Check the alerts you are receiving to see what is causing the heavy traffic on the Sensor(s). McAfee Network Security Platform

92 5 System fault messages Manager faults Fault Severity Description/Cause Action Manager Disaster Recovery(MDR) MDR synchronization failure Error There was a problem while retrieving data from the peer Manager - aborting the synchronization process. Check whether the peer Manager machine is reachable from this machine Manager warning faults These are the warning faults for a Manager and Central Manager. Fault Severity Description/Cause Action Disk Space Warning Warning When the utilized disk space on the Manager server is between 80% and 89%. Example: Used disk space = 80% invokes a warning. Used disk space = 79% does not result in any fault. Make sure that the drive where the Manager is installed has sufficient disk space. Failed to backup IDS Policy Failed to backup Recon Policy Initiating Audit Log file rotation Warning Failed to backup Policy. Delete previous versions. Warning Failed to backup Policy. Please contact technical support or local reseller. Warning Failed to backup Policy. Please contact technical support or local reseller. Warning Failed to backup Policy. Delete previous version. Warning The Audit Log capacity of the Manager was reached, and the Manager will begin overwriting the oldest records with the newest records (i.e. first in first out). The fault indicates the number of records that have been written to the audit log; and equal number of audit log records are now being overwritten. This fault will be raised after a configured number of records written. No action is required. The capacity is configured in the iv_emsproperties table in MySQL; this option can be turned off. If this feature is enabled, when disk capacity is reached or audit log capacity is reached, then Audit Log rotation is initiated. Invalid Malware File Archive Storage Settings MLC IP - User mapping/user count exceeds limit Packet capture complete Warning Warning Warning The available free disk space on the Manager is less than the disk space required to support the current malware storage settings. Currently, NSM-MLC integration supports only IP-user mapping and users. One of these has exceeded, so the device behavior cannot be guaranteed until these numbers are brought down. The device is near capacity. Packet captures might not capture all packets. Policy Update Failed Warning Failed to update following policies during Signature Set import. Please edit the policy to fix the issue. System startup in progress; alerts being restored Warning System startup restored alerts from the archive file. Attack Log page may not show all alerts. Reduce the maximum disk space allowed for one or more file type. Check the MLC server configured with this Manager. Consider reducing the number of users/computers that is monitored by MLC. Check Packet Capture configuration and restart if required. Please edit the policy to fix the issue. Attack Log page may not show all alerts. 92 McAfee Network Security Platform 9.1

93 System fault messages Manager faults 5 Fault Severity Description/Cause Action MLC User count exceeds limit Sending MLC Bulk Update file Failed Warning Vulnerability Manager configuration IPS policy backup failure Reconnaissance policy backup failure A non-mvm vulnerability assessment report has been imported with warnings Policy synchronization Policy synchronization aborted Currently, NSM-MLC integration supports only users. This has exceeded, so the Sensor behavior cannot be guaranteed until these numbers are brought down. Consider reducing the number of users MLC is monitoring. Warning MLC bulk update failed on sensor. NSM will retry sending the bulk update again. Warning Failed to back up policy <policy_name>. See ems logs. Warning Failed to back up policy <policy_name>. The maximum limit of <value> has been reached. Delete previous versions. Warning Failed to back up policy <policy_name>. See ems logs. Warning Warning Warning Scheduled configuration report Scheduled reports error Warning Manager Disaster Recovery(MDR) MDR - IPv4 and IPv6 address configuration Manager Reboot Manager shutdown was not graceful Warning Warning Failed to back up policy <policy_name>. The maximum limit of <value> has been reached. Policy synchronization has aborted because concurrent processes are running on the Manager. Report generation failed for report template <report_template_name> because one or more of the selected resources is no longer available. You have specified only the peer Manager <IPv4/IPv6> address. So you cannot add any <IPv4/IPv6> devices to the current Manager nor will the existing <IPv4/IPv6> devices be able to communicate to the peer Manager. The Manager was not shut down gracefully. (Database tuning is recommended.) Delete previous versions. The timestamp on the newly-imported report is the same as or older than the previously imported report. Confirm that your process to copy new report files to the Manager file system is functioning properly. Policy Synchronization aborted because concurrent processes are running on the Network Security Manager. Edit and save the disabled template in Report Generation. If Device is needed to communicate over IPv6 to Manager and Manager is in mdr mode, then mdr has to be reconfigured to include IPv6 version of the peer manager. Perform database tuning (dbtuning) to fix possible database inconsistencies that may have resulted. Tuning may take a while, depending on the amount of data currently in the database. McAfee Network Security Platform

94 5 System fault messages Manager faults Manager informational faults These are the informational faults for a Manager and Central Manager. Fault Severity Description/Cause Action Alert Archival state has changed Command to invoke upload internal hosts process to NSM Cluster software initialization status Custom attacks are being saved to the Manager Database backup in progress Data dump retrieval from peer has been completed successfully Data dump retrieval from peer is in progress Informational The alert archival process has started. Informational The internal host information is sent to the Manager. Informational Device software has been initialized. Informational One or more custom attack definition is in the process of being saved from the Custom Attack Editor to the Manager. Informational A database backup is in progress. Informational The data dump retrieval from peer has been completed successfully Informational The data dump retrieval from peer is in progress This message is for user information. No action required. This message is for user information. No action required. On initialization failure, check if cluster cross-connects are present as documented. This message is for user information. No action required. This message is informational This message is for user information. No action required. This message is for user information. No action required. Database backup failure Informational Unable to backup database tables. This message indicates that an attempt to manually back up the database backup has failed. The most likely cause of failure is insufficient disk space on the Manager server; the backup file may be too big. Check your disk capacity to ensure there is sufficient disk space, and try the operation again. Manager Request is not from Trusted IP Address Custom attack overridden by signature set Informational The Manager Request is not from Trusted IP Address. Informational One or more custom attack definition has been incorporated into the current signature set and therefore removed as a custom attack. Ensure the Peer Manager is not already in MDR with other Manager. This message is informational and indicates that an emergency McAfee-provided UDS signature has been appropriately overwritten as part of a signature set upgrade. 94 McAfee Network Security Platform 9.1

95 System fault messages Manager faults 5 Fault Severity Description/Cause Action Packet capture file transfer status Information The device has started sending the packet capture file via SCP. The device has completed sending the packet capture file via SCP. The device has stopped capturing packets because it has reached the configured maximum capture file size. The device has stopped capturing packets because it has reached the configured maximum duration. The device is ready to transfer the packet capture file to Manager. This message is informational. Packet Log Archival state has changed Scheduler - Signature download from Manager to Sensor failed Sensor software image or signature set import in progress Signature set update failed Signature set update not successful Switchback has been completed, the primary Manager has got the control of Sensors now System startup in process - alerts being restored Syslog Forwarder is not configured for the Admin Domain: <Admin Domain Name> to accept the ACL logs. Successful connection to McAfee update server for updates. Informational Indicates that the packet log archival state has changed Informational Scheduler - Signature download from Manager to Sensor has failed. Informational A Sensor software image or signature set file is in the process of being imported from the Network Security Platform Update Server to the Manager server. Informational Informational Signature set update failed while transferring from the Manager server to the Sensor. Informational The attempt to import the IPS signature set into the Manager was not successful. Informational N/A Informational The Manager is starting up and restoring alerts from the device archive file. Attack Log page may not show all alerts until the Manager is fully online. Informational ACL logging is enabled, but no Syslog server has been configured to accept the log messages. Informational Successfully connected to the McAfee update server for updates. This message is for user information. No action required. This message is for user information. No action required. This message is for user information. No action required. This message is for user information. No action required. This message is for user information. No action required. You must re-import a signature set before performing any action on the Manager. A valid signature set must be present before any action can be taken in Network Security Platform. This message is for user information. No action required. You need to restart Manager, to view the restored alerts in the Attack Log page. Configure a Syslog server to receive forwarded ACL logs. This message is informational. McAfee Network Security Platform

96 5 System fault messages Manager faults Fault Severity Description/Cause Action Successful scheduled DAT file download UDS export to the Manager in progress Scheduled botnet detectors download is in progress Successful scheduled botnet detectors download Automatic botnet detectors deployment in progress Successful automatic botnet detectors deployment Botnet detectors deployment in progress Successful scheduled botnet detectors deployment Vulnerability Manager configuration Successful vulnerability data import from Vulnerability Manager Informational The scheduled DAT file download from the McAfee GTI Server to the Manager was successful. Informational One or more UDS is in the process of being exported from the Custom Attack Editor to the Manager server. Informational The scheduled botnet detectors download from the McAfee update server to the Manager is in progress. Informational The scheduled botnet detectors download from the McAfee update server to the Manager was successful. Informational A new botnet detectors version has recently been downloaded from the McAfee update server to the Manager and is now being deployed to the devices. Informational A new botnet detectors version has recently been downloaded from the McAfee update server to the Manager and successfully deployed to the devices. Informational A new botnet detectors version has recently been downloaded from the McAfee update server to the Manager and is being deployed to the devices. Informational A new botnet detectors version has recently been downloaded from the McAfee update server to the Manager and is being deployed to the devices. Informational Vulnerability data successfully imported from FoundStone database server into ISM database table. No vulnerability records found for import from FoundStone database. This message is for user information, no action required. This message is for user information. No action required. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. Vulnerability data import from Vulnerability Manager failed Successful vulnerability data import from Vulnerability Manager Successful import of a non-mvm vulnerability assessment report Policy synchronization Informational Scheduled Vulnerability Manager vulnerability data import has failed Informational This message indicates that the vulnerability data import from McAfee Vulnerability Manager database is successful. Informational For more information on importing vulnerability data reports in Manager, see Importing Vulnerability Scanner Reports, McAfee Network Security Platform Integration Guide. Refer to error logs for details This message is informational. 96 McAfee Network Security Platform 9.1

97 System fault messages Manager faults 5 Fault Severity Description/Cause Action Deleted NSCM rule set in use Deleted NSCM attack filter in use Deleted NSCM policy in use Central Manager Deleted NSCM exception object in use Deleted NSCM policy in use Reset to standalone has been invoked; the Primary <Manager/Central Manager> is in control of <Sensors/Manager> Reset to standalone is invoked; the Secondary <Manager/Central Manager> is in control of <Sensors/Manager> Reset to standalone is invoked; the <Manager/ Central Manager> is in control of <Sensors/ Manager> Reset to standalone has been invoked; the peer <Manager/Central Manager> is in control of <Sensors/Manager> Alert queue threshold alarms Informational Rule set is currently assigned to one or more resource. Create a clone before deletion. Informational Attack filter is currently assigned to one or more resource. Create a clone before deletion. Informational Policy is currently assigned to one or more resource. Create clone before deletion. Informational Exception object is applied on resource(s). Creating a clone before delete. Informational Deleted Central Manager policy is in use Policy <policy name> is applied on resources. Creating clone <policy name> before delete. Informational A "Reset to Standalone" has been invoked; the Primary Manager is standalone and is in control of Sensors Informational A "Reset to Standalone" has been invoked; the Secondary Manager is standalone and is in control of Sensors Informational A "Reset to Standalone" has been invoked; the current Manager is standalone and in control of Sensors. Informational A "Reset to Standalone" has been invoked; the Peer Manager is standalone and in control of Sensors. Remove the reference and try again. Remove the reference and try again. Remove the reference and try again. Deleted Network Security Central Manager Exception object is applied on resource(s) Remove the reference and try again Remove the reference and try again. This message is for user information, no action required. This message is for user information, no action required. This message is for user information. No action required. This message is for user information. No action required. Alert archival in progress Informational The Manager is archiving alerts Wait for the Alert archival to complete Packet log archival in progress Manager Disaster Recovery(MDR) Manager version mismatch. Primary Manager has latest version Informational The Manager is archiving packet logs Informational The two Managers in an configuration must have the same Manager software version installed. The Primary Manager software is more recent than that of the Secondary Manager. Kindly wait for the Packet Log archival to complete. Ensure the two Managers run the same software version. McAfee Network Security Platform

98 5 System fault messages Manager faults Fault Severity Description/Cause Action Manager version mismatch. Secondary Manager has latest version MDR synchronization in progress MDR - Manager <Central Manager/Manager> switched from <Standalone/MDR> to <MDR/Standalone> mode Informational The two Managers in an MDR configuration must have the same Manager software version installed. The Secondary Manager software is more recent than that of the Primary Manager. Informational The synchronization from the peer Manager is in progress. Informational Manager <(mgr_name) OR (ICC) (mgr_name)> is taking the control. The Manager <mngr_name> is <Primary/Secondary> and its peer Manager, <peer_mgr_ip_addr> is <Primary/Secondary> Ensure the two Managers run the same software version. This message is for user information. No action required. See the fault message. MDR manual switch over successful; the Secondary <Manager/Central Manager> is in control of <Sensors/Manager> MDR automatic switchover has been completed; the Secondary <Manager/Central Manager> is in control of <Sensors/Manager> MDR configuration information retrieval from Primary Manager successful Successful MDR manual switchover. The Secondary <Manager/ Central Manager> is in control of the <Sensors/ Manager> MDR operations have been resumed MDR operations have been suspended MDR switchback has been completed; the Primary <Manager/Central Manager> is in control of <Sensors/Manager> Informational Manager Disaster Recovery initiated via a manual switchover, is successfully completed. Secondary Manager is now in control of Sensors. Informational Manager Disaster Recovery switchover has been completed; the Secondary Manager is in control of Sensors. Informational Manager Disaster Recovery Secondary Manager has successfully retrieved configuration information from the Primary Manager. Informational Manager Disaster Recovery is completed via a manual switchover. Secondary Manager is now in control of Sensors. Informational Manager Disaster Recovery functionality has been resumed. Failover functionality is again available. Informational Manager Disaster Recovery functionality has been suspended. No failover will take place while MDR is suspended. Informational Manager Disaster Recovery switchback has been completed; the Primary Manager has regained control of Sensors. This message is for user information. No action required. Failover has occurred; the Secondary Manager is now in control of the Sensors. Troubleshoot problems with the Primary Manager and attempt to bring it online again. Once it is online again, you can switch control back to the Primary. This message is for user information. No action required. This message is for user information, no action required. This message is for user information, no action required. This message is for user information, no action required. This message is for user information, no action required. 98 McAfee Network Security Platform 9.1

99 System fault messages Manager faults 5 Fault Severity Description/Cause Action MDR pair is changed McAfee Network Security Manager Type mismatch Successful MDR synchronization from <McAfee Network Security Central Manager/ McAfee Network Security Manager> Successful MDR switchback. (Primary <Central Manager/ Manager> will take control of the <Managers/ Sensors>) Successful MDR manual switchover. (Secondary <Central Manager/ Manager> will take control of the <Managers/ Sensors>) MDR - Reset to standalone invoked MDR has been canceled MDR automatic switchover detected. (Secondary <Central Manager/Manager> will take control of the <Managers/Sensors>) Informational McAfee Network Security Central Manager (Central Manager) has an MDR pair created and the Manager is in disconnected mode. If Central Manager MDR pair is dissolved, and recreated, making the existing primary Manager as secondary Manager and existing secondary Manager as primary Manager, the fault is raised. Informational The two Managers in an MDR configuration must have the same Manager Type. Informational The secondary <Central Manager/ Manager> has successfully retrieved configuration information from the primary <Central Manager/Manager>. Informational The MDR switchback has completed without error. (The primary <Central Manager/Manager> will take control of the <Managers/Sensors>.) Informational The administrator-initiated MDR switchover has completed without error. (The secondary <Central Manager/Manager> will take control of the <Managers/Sensors>) Informational The MDR pair has been reset to standalone Managers. This <Central Manager/Manager> is standalone and will take control of the <Managers/ Sensors>. Informational (This <Central Manager/Manager> will take control of the <Managers/ Sensors>) Informational Manager Disaster Recovery has been cancelled Informational An automatic MDR switchover has completed without error. (The secondary <Central Manager/Manager> will take control of the <Managers/ Sensors>.) Dissolve and re-create an MDR pair. Ensure both Managers are of same Type (McAfee Network Security Central Manager or McAfee Network Security Manager) This message is informational. This message is informational. This message is informational. This message is informational. The MDR pair has been reset to standalone Managers. The peer <Central Manager/ Manager> is standalone and will take control of the <Managers/Sensors>. This message is informational. This message is informational. McAfee Network Security Platform

100 5 System fault messages Manager faults Fault Severity Description/Cause Action MDR manual switchover in progress. (Secondary <Central Manager/ Manager> will take control of the <Managers/ Sensors>) Successful MDR pair creation Successful MDR synchronization in progress MDR suspended MDR resumed MDR - Device-to-Manager IP mismatch MDR - <NMcAfee Network Security Central Manager/McAfee Network Security Manager> version mismatch. (Peer <Central Manager/ Manager> has newer version) MDR - Manager type mismatch MDR - <Central Manager/ Manager> request is not from a trusted IP address MDR - system time synchronization error Database archival Informational The administrator has initiated an MDR switchover. (The secondary <Central Manager/Manager> will take control of the <Managers/Sensors>) Informational Manager Disaster Recovery (MDR) has been successfully configured. Informational Synchronization from the peer Manager has been completed successfully. Informational Manager Disaster Recovery has been administratively suspended. (No switchover will take place while MDR is suspended.) Informational Manager Disaster Recovery functionality has been resumed by the administrator. Failover functionality is again available. Informational The device-to-manager communication IP <Manager_ip> does not match with the peer Manager IP <peer_manager_ip>. Informational The two <Central Manager/Manager>s in an MDR configuration must have the same <McAfee Network Security Central Manager/McAfee Network Security Manager> software version installed. The peer <McAfee Network Security Central Manager/McAfee Network Security Manager> server software is more recent than that of the current <Central Manager/ Manager>. Informational The two Managers in an MDR pair must be of the same type (Manager versus Central Manager). Informational The <Central Manager/Manager> request is not from a trusted IP address. Informational The two Managers in an MDR pair must have the same operating system time. Ensure both Managers are in sync with the same time source. (Otherwise, the device communication channels will experience disconnects.) This message is informational. This message is for user information, no action required. This message is for user information. No action required. This message is informational. This message is informational. Ensure that the Sensor- Manager communication IP matches with the peer Manager's peer IP in MDR configuration. Ensure both Managers are running the same version of the Manager software. Ensure both Managers are of same Type (McAfee Network Security Central Manager or McAfee Network Security Manager). Ensure the Peer Manager is not already in MDR with other Manager. Ensure both Managers are in sync with current time. 100 McAfee Network Security Platform 9.1

101 System fault messages Manager faults 5 Fault Severity Description/Cause Action Alert archival in progress Informational Alerts are currently being archived. Do not attempt to tune the database or perform any other database activity such as a backup or restore until the archival process successfully completes. Successful alert archival Database tuning Database tuning in progress Database tuning recommended Successful database tuning ACL logging Required syslog forwarder missing Update scheduler Automatic callback detectors deployment in progress Automatic signature set deployment in progress Callback detectors deployment in progress Connecting to McAfee update server for updates Failed connection attempt to McAfee GTI Server. Scheduled signature set deployment in progress Informational The alert archival successfully completed. Informational The Manager database is currently being tuned. Informational Database tuning is recommended. <no_of_days> days have passed since the last database tuning. Informational The Manager database was tuned without error. Informational Firewall logging has been enabled, yet no syslog server is currently defined/ enabled for admin domain <admin_domain_name>. Informational A new callback detector has recently been downloaded from the GTI Server to the Manager and is being deployed to the devices. Informational A new signature set has recently been downloaded from the Update Server to the Manager and is now being deployed to the devices. Informational A new callback detectors version has recently been downloaded from the McAfee update server to the Manager and is being deployed to the devices. Informational Connecting to McAfee update server for updates. Informational Failed to connect to the McAfee GTI Server. Informational A new signature set has recently been downloaded from the Update Server to the Manager and is now being deployed to the devices, as scheduled. This message is for user information. No action required. The user cannot do the following operations during tuning process (1) Viewing / Modifying alerts from the Attack Log page (2) Generating IDS reports on alerts (3) Backing up / Restoration of all tables OR alert and packet log tables. (4) Archiving alerts and packet logs into files Shutdown the Manager and execute the Database Tuning Utility at the earliest This message is for user information. No action required. This message will appear until a Syslog server has been configured for use in forwarding ACL logs. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. McAfee Network Security Platform

102 5 System fault messages Manager faults Fault Severity Description/Cause Action Scheduled signature set download in progress Scheduled callback detectors download is in progress Successful scheduled signature set deployment Successful scheduled signature set download Successful scheduled callback detectors download Successful scheduled callback detectors deployment Successful automatic callback detectors deployment Successful automatic signature set deployment Update Scheduler in progress Informational A scheduled signature set update is in the process of downloading from the McAfee Update Server to the Manager server Informational The scheduled callback detectors download from the McAfee update server to the Manager is in progress. Informational A new signature set has recently been downloaded from the Update Server to the Manager and successfully deployed to the devices, as scheduled. Informational The scheduled signature set download from the McAfee Update Server to the Manager was successful. Informational The scheduled callback detectors download from the McAfee update server to the Manager was successful. Informational A new callback detectors version has recently been downloaded from the McAfee update server to the Manager and is being deployed to the devices. Informational A new callback detectors version has recently been downloaded from the McAfee Update Server to the Manager and successfully deployed to the devices. Informational A new signature set has recently been downloaded from the Update Server to the Manager and successfully deployed to the devices. Informational This message indicates that the update scheduler is in progress. Signature download from Update Server to Manager Signature set deployment in progress Successful signature set download from Update Server Update device configuration Device configuration update in progress Signature set DAT file import is in progress Device software, IPS signature set, or callback detectors import in progress Informational A signature set is in the process of being deployed from the Manager to the device. Informational The signature set was successfully downloaded from the McAfee Update Server to the Manager. Informational The Manager is in the process of pushing the configuration (and signature set, as applicable) to the device. Informational A DAT file is being imported into the Manager. Informational A device software, IPS signature set, or callback detectors file is being imported into the Manager. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is informational. This message is for user information. No action required. This message is informational. 102 McAfee Network Security Platform 9.1

103 System fault messages Manager faults 5 Fault Severity Description/Cause Action Device software, IPS signature set, or callback detectors download in progress Successful IPS signature set download from the McAfee update server Audit logger Rotating audit logs User defined signature Custom attack overridden by signature set Custom attack save in progress Custom attack save successful Backup Manager Database backup is in progress Database backup successful Backup scheduler Informational A device software, IPS signature set, or callback detectors file is being downloaded from the McAfee Update Server to the Manager. Informational A signature set is in the process of being deployed from the Manager to the device Informational The audit log capacity on the Manager is <value taken from ems property iv.policymgmt.ruleengine.circularaudit LogMax> records. After this number of records is reached, the Manager will overwrite the oldest records with the newest records (i.e. first in, first out). This fault indicates that <value taken from ems property iv.policymgmt.ruleengine.circularaudit LogMax> records have been written to the audit log and that the oldest audit log records are now being overwritten. This fault will be raised every <value taken from ems property iv.policymgmt.ruleengine.circularaudit LogMax> records written. No action is required. This is an informational fault. Informational One or more custom attack definition has been incorporated into the current signature set and therefore removed as a custom attack. Removed custom attacks: <list of removed custom attacks> Informational One or more custom attack definition is in the process of being saved to the Manager. Informational One or more custom attack definition has been successfully saved to the Manager. Informational A manual or scheduled database backup process is in progress. Informational The database backup was successful. This message is informational. This message is informational. No action, this is an indicator to inform that audit log is overwritten. This message is for user information. No action required. This message is informational. This message is for user information. No action required. Do not attempt to tune the database or perform any other database activity such as an archive or restore until the backup process successfully completes. This message is for user information. No action required. McAfee Network Security Platform

104 5 System fault messages Sensor faults Fault Severity Description/Cause Action Scheduled backup failed Informational Unable to create backup for scheduled database This fault indicates problems such as SQL exceptions, database connectivity problems, or out-of-disk space errors. Check your backup configuration settings. This fault clears when a successful backup is made. Mail server and queue System startup in process - alerts being restored Informational The Manager is starting up and restoring alerts from the device archive file. The Attack Log page may not show all alerts until the Manager is fully online. The Attack Log page may not show all alerts. Restarting the manager is required to show the restored alerts in the Attack Log page. Sensor faults The Sensor faults can be classified into critical, error, warning, and informational. The Action column provides you with troubleshooting tips. Sensor critical faults These are the critical faults for a Sensor device. Fault Severity Description/Cause Action Botnet detectors deployment failure Bootloader upgrade failure Cannot deploy the botnet detectors to device <Sensor_name> The firmware upgrade has failed on the Sensor. Conflict in MDR Status Sensor found a conflict with MDR status; Manager IP address / MDR status. CRC Errors A recoverable CRC error has occurred within the Sensor. Cluster software mismatch status The software versions on the cluster primary and cluster secondary are not the same. Occurs when the Manager cannot push the BOT DAT file to the Sensor. Could result from the network connectivity issue. Debug or reload the firmware on the Sensor. There is a problem with MDR configuration. Check your MDR settings. Reboot the Sensor, which may then resolve the issue causing the fault. Check for errors in software image download to cluster. 104 McAfee Network Security Platform 9.1

105 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Device re-discovery failure The upload of device configuration information for device <Sensor_name> failed again after being triggered by the status polling thread. The device is not properly initialized. Device is unreachable SNMP ping failed: Device <Sensor_name> is unreachable through its command channel. Device dropping packets internally Device model change detected Device switched to Layer 2 bypass mode Device reboot required Dropping alerts and packet logs Device capacity has been reached. Device front end is overloaded. Device <Sensor_name> has been replaced by a different model <model_name>, which does not match the original model. The alert channel will not be able to establish a connection. Device is now operating in Layer 2 bypass mode. (Inspection has been disabled.) The SSL decryption state or supported flow count on device <Sensor_name> has been changed (new value = <value>). A device reboot is required to make the change take effect. Manager is not communicating with the database; the alert and packet logs overflowing queues. This fault occurs as a second part to the device discovery failure fault. If the condition of the Sensor changes such that the Manager can again communicate with it, the Manager again checks to see if the Sensor discovery was successful. This fault is issued if discovery fails, thus the Sensor is still not properly initialized. Check to ensure that the Sensor has the latest software image compatible with the Manager software image. If the images are incompatible, update the Sensor image via a tftp server. Indicates that the device cannot communicate with the Manager: the connection between the device and the Manager is down, or the device has been administratively disconnected. Troubleshoot connectivity issues: 1) check that a connection route exists between the Manager and the device; 2) check the device' s status using the <status> command in the device command line interface, or ping the device or the device's gateway to ensure connectivity. This fault clears when the Manager detects the device again. Reduce the amount of traffic passing through the Sensor as there is an overload of traffic on the Sensor. Make sure you replace the model with the same Sensor model. The Sensor has experienced multiple errors, surpassing the configured Layer2 mode threshold. Check the Sensor's status. Reboot the Sensor to cause the SSL change to take effect. Perform maintenance operations to clean and tune the database or disable dropping option. McAfee Network Security Platform

106 5 System fault messages Sensor faults Fault Severity Description/Cause Action Fail-open bypass switch timeout Failed to create command channel association Failed to update the failover Sensor configuration Communication has timed out between the Fail Open Controller in the Sensor's Compact Flash port and the Fail Open Bypass Switch. This situation has caused the Sensor to move to Bypass mode and traffic to bypass the Sensor. Command channel association creation failed for device <Sensor_name>. The device is not properly initialized. This error indicates a failure to create a secure connection between the Manager and the device, which can be caused by loss of time synchronization between the Manager and device or that the device is not completely online after a reboot. Monitoring port IP settings are not configured for the ports that require it. For example, monitoring port IP settings are required for a monitoring port to export NetFlow data to NTBA and to implement require-authentication Firewall access rules. The fault could be the result of a cable being disconnected, or removal of the Bypass Switch. This fault clears automatically when communication resumes between the Fail Open Controller and Fail Open Bypass Switch. Restart the Manager and/or check the Sensor s operating status to ensure that the Sensor s health and status are good. Either configure the Monitoring Port IPs for all the above ports (or) Disable those features. Failover peer status This fault indicates whether the Sensor peer is up or down. Fan error One or more of the fans inside the Sensor have failed. Fail-open bypass switch timeout Firewall connectivity failure The device is not able to communicate with the fail-open bypass switch. The connectivity between the device and the firewall is down. Hardware error There is an error in the hardware component on the Sensor. This fault clears automatically when the Sensor peer is up. You can also check the Sensor's front panel LEDs to see which fan has failed. If a fan is not operational, McAfee strongly recommends powering down the Sensor and contacting Technical Support to schedule a replacement unit. In the meantime, you can use an external fan (blowing into the front of the Sensor) to prevent the Sensor from overheating until the replacement is completed. Check external FailOpen kit connections or portpair configuration to restore Inline FailOpen mode. This fault can occur in situations where, for example, the firewall machine is down, or the network is experiencing problems. Ping the firewall to see if the firewall is available. Contact your IT department to troubleshoot connectivity issues. Debug or replace the hardware component. 106 McAfee Network Security Platform 9.1

107 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Sensor connectivity status with GTI server Illegal In-line, fail-open configuration of <port_name>. Image downgrade detected Internal configuration error Sensor is unable to communicate with GTI server. This fault will be cleared when connection is restored. The Sensor is configured to operate with an external Fail-Open Module hardware component, but cannot detect the hardware. Unsupported configuration upgrade/downgrade, default configurations are used. An internal application communication error occurred on the device during <handling signature segments file SNMP configuration request or other Sensor internal communication. Image downgrade, Please do a resetconfig. Unsupported configuration upgrades, default configurations are used. Image downgrade detected. Please execute <resetconfig> on the device CLI to complete the downgrade. Unsupported BOT DAT configuration detected after upgrade/downgrade. The default configuration will be used. Message generated based on Sensor Connectivity with GTI Server. This error applies only to Sensors running in in-line mode with a gigabit port in fail-open mode (using the external Fail Open Module). When this fault is triggered, the port will be in bypass mode and will send another fault of that nature to the Manager. When appropriate configuration is sent to the Sensor (either the hardware is discovered or the configuration changes), and the Sensor begins to operate in in-line-fail open mode. This is an internal error. Check the Sensor status to see that the Sensor is online and in good health. This is an internal error. Check the sensor status to see that the Sensor is online and in good health. Interface/sub-interface creation failure Invalid fail-open configuration: <port_pair_name> Device <Sensor_name> could not generate an interface or sub-interface. See the system log for details. An invalid configuration has been applied to <port_pair_name> This fault generally occurs in situations where the port in question is configured incorrectly. For example, a pair of ports is configured to be in different operating modes (1A is In-line while 1B is in SPAN). Check the configuration of the port pair for inconsistencies, then configure the port pair to run in the same operating mode. The Sensor requires appropriate hardware to support in-line, fail-open configuration on its gigabit ports. Ensure that the hardware is available and that the correct ports are in-line and configured to run in this mode. McAfee Network Security Platform

108 5 System fault messages Sensor faults Fault Severity Description/Cause Action Invalid SSL decryption key Late Collision of <count Up/Down> Link failure of Port <port_name> Device has detected invalid SSL decryption key: <SSL decryption key> This fault can indicate a problem with the setup or configuration of the 10/100 Ethernet ports or devices connected to those ports. It can also indicate a compatibility issue between the Sensor and the device to which it is connected. The link between a Monitoring port on the Sensor and the device to which it is connected is down, and communication is unavailable. The fault indicates which port is affected. Users from all three FIPS mode roles (Audit Administrator, Crypto Administrator and Security Administrator) have logged onto the Manager at the same time. The link on port <port_name> is <up/down>. The link between port "<port_name>" and the device to which it is connected is down, and communication is unavailable. License expires soon Your license is going to expire in less than 7 days. Load Balancer fail-over configuration mismatch Load Balancer is unreachable Malware File Archive Disk Usage(Compressed files) Load Balancer <Load_Balancer_name> reports fail-over peer configuration is not matching. Load balancer device <load_balancer_name> is unreachable through its command channel. The disk usage for archived compressed files has reached the user defined threshold of the maximum allowed. New files of this type will no longer be saved to the disk once usage reaches100%. User may need to re-import the server SSL decryption key. Check the speed and duplex settings on the Sensor ports and the peer device ports and ensure that they are the same. Contact your IT department to troubleshoot connectivity issues: check the cabling of the specified Monitoring port and the device connected to it; check the speed and duplex mode of the connection to the switch or router to ensure parameters such as port speed and duplex mode are set correctly; check power to the switch or router. This fault clears when communication is re-established. Please contact Technical Support or your local reseller. Verify Load Balancer configuration. Both Load Balancers in fail-over pair is expected to have same configuration. Indicates that the load balancer cannot communicate with the Manager: the connection between the load balancer and the Manager is down, or the load balancer has been administratively disconnected. Troubleshoot connectivity issues: 1) check that a connection route exists between the Manager and the load balancer; 2) check the load balancer status using the status command in the load balancer command line interface, or ping the load balancer or the load balancer gateway to ensure connectivity to the load balancer. This fault clears when the Manager detects the load balancer again. Prune/delete unwanted files, or increase the maximum disk space or both. 108 McAfee Network Security Platform 9.1

109 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Malware File Archive Disk Usage (Executables) Malware File Archive Disk Usage (Office Files) Malware File Archive Disk Usage (PDFs) Manual Sensor Reboot Required The disk usage for archived executables has reached the user-defined threshold of the maximum allowed. New files of this type will no longer be saved to the disk once usage reaches 100%. The disk usage for archived office files has reached the user-defined threshold of the maximum allowed. New files of this type will no longer be saved to the disk once usage reaches 100%. The disk usage for archived PDFs has reached the user-defined threshold of the maximum allowed. New files of this type will no longer be saved to the disk once usage reaches 100%. Sensor requires manual reboot due to an issue. Please reboot the Sensor. Memory error A recoverable software memory error has occurred within the Sensor. MLC Group Size fault Sensor version 8.0 or lower not supported for this group size. MPE certificate download failure NTBA IPS connection failure Ondemand scan failed because connection was refused to FoundScan engine Packet capture rules download Cannot push MPE certificate to device <Sensor_name>. See system log for details. Device can't communicate to NTBA over management port on TCP protocol. This fault can be due to two reasons- the user has not specified the Fully Qualified Domain Name OR the FoundScan engine is shutdown. Cannot push packet capture rules to device <Sensor_name>. See system log for details. Packet overflow A recoverable software buffer overflow error has occurred within the Sensor. Prune/delete unwanted files, or increase the maximum disk space or both. Prune/delete unwanted files, or increase the maximum disk space or both. Prune/delete unwanted files, or increase the maximum disk space or both. Please Reboot the Sensor. Reboot the Sensor, which may then resolve the issue causing the fault. Fault is raised when the admin domain user group exceeds 2,000 in an 8.0 or lower M-series model. The 10,000 admin domain user group is supported only in the 8.1 Manager for M-series model. Reduce the number of admin domain user groups to a value that is supported by your Sensor. Occurs when the Manager cannot push the MPE Certificate to a Sensor. Could result from a network connectivity issue. If any of devices are uninstalled, this problem may exists initially for a few minutes and should go away. If the fault still appears, then check the firewall rules and connections and connectivity from IPS Management port to NTBA management port. For more information on using Fully Qualified Domain Name, see McAfee Network Security Platform Integration Guide. Occurs when the Manager cannot push the packet capture rules to a Sensor. Could result from a network connectivity issue. Reboot the Sensor. which may then resolve the issue causing the fault McAfee Network Security Platform

110 5 System fault messages Sensor faults Fault Severity Description/Cause Action Late collision of <port_name> Port pair <port_name> is back to In-line, Fail-Open Mode Port pair <port_name> is in Bypass Mode Port pair <port_pair_name> in bypass mode Port pair <port_pair_name> in in-line, fail-open mode Port pair <port_pair_name> fail-open kit status Port media type mismatch Port certification mismatch This fault could indicate a problem with the setup or configuration of the 10/100 Ethernet ports or devices connected to those ports. It could also indicate a compatibility issue between the Sensor and the device to which it is connected. Sensor is back to In-line, Fail-Open Mode. This fault indicates that the indicated GBIC ports are unable to remain in In-line Mode as configured. This has caused fail-open control to initiate and the Sensor is now operating in Bypass Mode. Bypass mode indicates that traffic is flowing through the Fail Open Bypass Switch, bypassing the Sensor completely. Device <Sensor_name> is configured to run in-line and to fail open, but it is in bypass mode. Device <Sensor_name> has returned to in-line, fail-open mode. Device <Sensor_name> is configured to run in-line and to fail open, but it is in <Bypass, Tap, Absent, Unknown, L2Bypass, Timeout, IllegalConfig,Restore> Mode. <Port_name>: Configured media type is <none/optical/copper/ unknown>. Inserted media type is <optical/copper/unknown> <Port_name>: McAfee Certified pluggable interface. McAfee certification status is <not matching/ matching>. Power supply error The <primary/secondary> power supply to the device <was inserted/was removed/is Operational/is non-operational>. Restore the power supply to clear this fault. The Sensor may be detecting an issue with another device located on the same network link. Check to see if there is a problem with one of the other devices on the same link as the Sensor. This situation could cause traffic to cease flowing on the Sensor and may require a Sensor reboot. This message indicates that the ports have gone from Bypass mode back to normal. Check the health of the Sensor and the indicated ports. Check the connectivity of the Fail Open Control Cable to ensure that the Fail Open Control Module can communicate with the Fail Open Controller in the Sensor's Compact Flash port. This fault indicates that some failure has occurred, causing the fail-open control module to switch operation to Bypass Mode. No traffic is flowing through the Sensor. This message indicates that the ports have gone from Bypass Mode back to normal. This fault indicates that some failure has occurred, causing the fail-open control module to switch operation to <Bypass, Tap, Absent, Unknown, L2Bypass, Timeout, IllegalConfig,Restore> Mode. No traffic is flowing through the Sensor. Check if pluggable connector matched user configuration. Example: Copper SFP inserted in cage configured for Fiber. Replace the media according to the configured value. Check if pluggable interface is McAfee certified. Replace with McAfee certified connector or disable check-box to use non certified connector (recommended to use McAfee certified). Check power to the outlet providing power to the power supply; if a power interruption is not the cause, replace the failed power supply. 110 McAfee Network Security Platform 9.1

111 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Sensor changes to a different model Sensor configuration download failure <Sensor_name> configuration update failure Device reboot required A Sensor was replaced with a different model type. The alert channel will be unable to make a connection. The Manager cannot push original Sensor configuration to Sensor during Sensor re-initialization, possibly because the trust relationship is lost between Manager and Sensor. This can also occur when a failed Sensor is replaced with a new unit, and the new unit is unable to discover its configuration information.it happens if the Sensor's health is bad. The attempt by the Manager to deploy the configuration to device <Sensor_name> failed during device re-initialization. The device configuration is now out of sync with the Manager settings. The device may be down. See the system log for details. User-configured SSL decryption settings for a particular Sensor changed, requiring a Sensor reboot. Signature set error The device has detected an error on signature segment <segment_id>. The segment error cause is <unknown cause>, and the download type is <init/update/ unknown signature download type>. Solid State Drive <drive 0> Error Sensor switched to Layer 2 mode Sensor switched to Layer 2 Bypass mode The solid state drive <drive 0> is <drive 1>. The Sensor has moved from detection mode to Layer 2 (Passthru) mode. This indicates that the Sensor has experienced the specified number of errors within the specified timeframe and Layer 2 mode has triggered. Sensor is now operating in Layer2 Bypass mode. Intrusion detection/ prevention is not functioning. Software error A recoverable software error has occurred within the device. A device reboot may be required. SSL decryption key download failure Cannot push SSL decryption keys to device <Sensor_name>. See system log for details. When replacing a Sensor, ensure that you replace it with an identical model. Do not attempt to replace a regular Sensor with a failover-only model, and vice-versa. The link between Manager and Sensor may be down, or you may need to re-establish the trust relationship between Sensor and Manager by resetting the shared key values. The Manager cannot push the original device configuration during device re-initialization. This can also occur when a failed device is replaced with a new unit, and the new unit is unable to discover its configuration information. Reboot the Sensor to cause the changes to take effect. Ensure that the Sensor is online and in good health. The Manager will make another attempt to push the file to the Sensor. This fault will clear with the signature segments are successfully pushed to the Sensor. Check the respective SSD status, on failure replace the SSD. The Sensor will remain in Layer 2 mode until it is rebooted. The Sensor has experienced multiple errors, surpassing the configured Layer2 mode threshold. Check the Sensor's status. This error may require a reboot of the Sensor, which may then resolve the issue causing the fault. Occurs when the Manager cannot push the SSL decryption keys to a Sensor. Could result from a network connectivity issue. McAfee Network Security Platform

112 5 System fault messages Sensor faults Fault Severity Description/Cause Action Temperature status Inlet Temperature value increased above 50. User login via console after Sensor initialization Solr alert core indexing failed Solr appalerts core indexing failed Solr directory backing up failed Creation of DB backup jar file failed. Solr directory backing up failed Sensor reports user <user_name> login via console after Sensor initialization. This is a FIPS Level 3 violation. Check the Fan LEDs in front of the chassis to ensure all internal chassis fans are functioning. This fault will clear when the temperature returns to its normal range. This message is informational. Solr indexing failed for core. Solr index may be needed to be created again from mysql database. Solr indexing failed for core. Solr index may be corrupted. Advanced Threat Defense connectivity Sensor connectivity status with Advanced Threat Defense device CADS connectivity Sensor connectivity status with CADS device Licensing Device discovered without license Device discovered with cluster secondary license. Backing up solr core encountered an error. Creation of backup jar file encountered an error. Backing up solr core encountered an error. Sensor is unable to communicate with Advanced Threat Defense (ATD) device due to. This fault will be cleared when connection is restored. Sensor is unable to communicate with CADS device due to <issue>. This fault will be cleared when connection is restored. Device <Sensor_name> discovered without license, and may not detect attacks. Device <Sensor_name> was discovered with a cluster secondary license. This device not be connected to the Manager directly. Device license expired Device license expired. The device may not detect attacks. Device support license expired Device support license expired. The device may not detect attacks. Expired device license Device license expired. The device may not detect attacks. Expired device support license Expired license for device of type <device_type> Device support license expired. The device may not detect attacks. Please check disc space and solr directory settings. Check if sufficient disc space is available for jar file creation. Please check disc space and solr directory settings. Message generated based on Sensor Connectivity with Advanced Threat Defense (ATD) device. Message generated based on Sensor Connectivity with CADS device. To obtain a permanent license now, kindly contact Technical Support or your local reseller. The device may not detect attacks. Please contact technical support or your local reseller to obtain a License. 112 McAfee Network Security Platform 9.1

113 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Expired support license for device of type <device_type> No valid license detected for device of type <device_type> Pending support license expiration for device of type <device_type> Outbound Decryption - Re-Signing Certificate Deployment Failure The device may not detect attacks. The discovered device may not detect attacks. Support license for this device expires in <x> days. Re-signing SSL certificates could not be deployed to one or more sensor. This is typically due to the sensor being added to the Manager after a custom re-signing certificate. (The Manager no longer has the re-signing certificate from which to generate a copy for the new sensor.) Outbound decryption will not work properly on the affected sensors until the problem has been corrected. Please contact technical support or your local reseller to renew the support License. To correct the problem, re-import all custom re-signing certificates. Packet buffer overflow Communication failure with the Advanced Threat Defense device The Manager is unable to establish connectivity with the Advanced Threat Defense (ATD) device. Any connectivity issues with the Advanced Threat Defense (ATD) will generate this fault, including ATD device failure, network connectivity failure, and even situations where the network cable is detached from the Manager server. This fault clears when communication with the ATD is restored. Communication failure with the CADS device The Manager is unable to establish connectivity with the CADS device Any connectivity issues with the CADS will generate this fault, including CADS device failure, network connectivity failure, and even situations where the network cable is detached from the Manager server. This fault clears when communication with the CADS is restored. McAfee Network Security Platform

114 5 System fault messages Sensor faults Sensor error faults These are the error faults for a Sensor device. Fault Severity Description/Cause Action Alert channel down Error The alert channel for device <Sensor_name> is down. Reason: <"Channel connection failed reason unknown", "Channel is up", "Sensor unable to sync time with NSM (error 2)", "Sensor unable to generate valid certificate (error 3)", "Sensor unable to persist Sensor certificate (error 4)", "Sensor fail connecting to NSM (error 5)", "Sensor in untrusted connection mode (error 6)", "Sensor install connection failed (error 7)", "Sensor unable to persist NSM certificate (error 8)", "Mutual trust mismatch between Sensor and NSM (error 9)" "Error in SNMPv3 key exchange (error 10)", "Error in initial protocol message exchange (error 11)", "Sensor install in progress", "Opening alert channel in progress", "Link error. Attempting to reconnect (error 14)", "Alert channel reconnect failed (error 15)", "Closing alert channel in progress", "Closing alert channel failed (error 17)", "Send alert warning (error 18)", "Keep alive warning (error 19)", "Sensor unable to delete certificate (error 20)", "Sensor unable to create SNMP user (error 21)", "Sensor unable to change SNMP user key (error 22)"> The Manager cannot communicate with the device via the channel on which the Manager listens for Sensor alerts. This fault clears when the alert channel is back up. Device in bad health Error Please check the running status of device <device_name>. This fault occurs with any type of device software failure. (It usually occurs in conjunction with a software error fault.) If this fault persists, we recommend that you perform a Diagnostic Trace and submit the trace file to Technical Support for troubleshooting. 114 McAfee Network Security Platform 9.1

115 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Gateway Anti-Malware engine initialization failed Internal packet drop error MLC Bulk update file size exceeds limit Out-of-range configuration Error Error Error Error Gateway Anti-malware Engine Initialization failed due to some internal error. Please check logs. Device is dropping packets due to traffic load. Device has a limit for the MLC Bulk Update file size that it can process. As this has exceeded, update to the device <Sensor_name> is aborted. Device <Sensor_name> has detected an out-of-range configuration value. Gateway Anti-Malware Engine could not be initialized as the required signature files are not available. Try enabling automatic signature update option or downloading signatures manually using cli. Reduce the amount of traffic passing through the Sensor as this fault indicates overload of traffic on the Sensor. Check the MLC server configured in this Manager for the number of users, groups, and IP user mappings. Make sure they do not exceed the limits specified in the MLC Integration documentation. Contact McAfee Technical Support for assistance. McAfee Network Security Platform

116 5 System fault messages Sensor faults Fault Severity Description/Cause Action Packet log channel down Error The packet log channel for device <Sensor_name> is down. Reason: <Channel is up", Sensor unable to sync time with NSM (error 2)", Sensor unable to generate valid certificate (error 3)" Sensor unable to persist Sensor certificate (error 4)" Sensor fail connecting to NSM (error 5)", Sensor in untrusted connection mode (error 6)", Sensor install connection failed (error 7)", Senor unable to persist NSM certificate (error 8)", Mutual trust mismatch between Sensor and NSM (error 9) Error in SNMPv3 key exchange (error 10)", Error in initial protocol message exchange (error 11)" Sensor install in progress", Opening packet-log channel in progress", Link error. Attempting to reconnect (error 14)", Packet-log channel reconnect failed (error 15)", Closing packet-log channel in progress", Closing packet-log channel failed (error 17)", Send alert warning (error 18)", Keep alive warning (error 19)"> The Manager cannot communicate with the device via the channel on which the Manager receives packet logs. This fault clears when the packetlog channel is back up. Peer DoS profile retrieval failure Error Peer DoS profile retrieval request from device <Sensor_name> failed. No DoS profile for peer <peer_sensor_name> is available. The Manager cannot obtain the requested profile from the peer Sensor, nor can it obtain a saved valid profile. See log for details. Peer DOS profile retrieval request from device <Sensor_name> failed because the profile cannot be pushed to the device that requested it. See system log for details. Check Manager connection to Network Security Platform. 116 McAfee Network Security Platform 9.1

117 System fault messages Sensor faults 5 Fault Severity Description/Cause Action <Sensor> discovery failure Sensor reports an out-of-range configuration Error Error <Sensor>, <Sensor_name> failed to discover configuration information. The device is not properly initialized. The Manager received a value from the Sensor that is invalid. The additional text of the message contains details. Typically, the Manager will be unable to display the Sensor in this situation, which could indicate an old software image on the Sensor. If this fault is triggered because the Sensor is temporarily unavailable, the Manager will clear this fault when the Sensor is back online. If the fault persists, check to ensure that the Sensor has the latest software image compatible with the Manager software image. If the images are incompatible, update the Sensor image via a tftp server. This fault does not clear automatically; it must be cleared manually. Contact McAfee Technical Support for assistance. Sensor reports an out-of-range configuration Error The Manager received a value from the Sensor that is invalid. The additional text of the message contains details. This fault does not clear automatically; it must be cleared manually. Contact McAfee Technical Support for assistance. Sensor reports NMS user privacy key decrypt failure Error NMS user privacy key decryption failed for user <user_name>. Please delete NMS user and add again with valid credential. Sensor reports NMS user authentication key decrypt failure Error NMS user authentication key decryption failed for user <user_name>. Please delete NMS user and add again with valid credential. Sensor configuration update failed Error The Sensor configuration update failed to be pushed from the Manager Server to the Sensor. Please see ems.log file to isolate reason for failure. Sensor discovery failure Error The Sensor failed to discover its configuration information, and thus is not properly initialized. Typically, the Manager will be unable to display the Sensor. Could indicate an old Sensor image on the Sensor. Check the Manager connection to Network Security Platform. Check to ensure that the Network Security Platform has the latest software image compatible with the Manager software image. If the images are incompatible, update the The Manager has reached its limit (<queue_size_limit>) for alerts that can be queued for storage in the database. (no_of_alerts alerts dropped) image via a tftp server. McAfee Network Security Platform

118 5 System fault messages Sensor faults Fault Severity Description/Cause Action Sensor reports that the alert channel is down Invalid SSL decryption key Peer IBAC user info file retrieval failure Peer IBAC user info file retrieval failure Trust Establishment Error Bad Shared Secret Trust Establishment Error Unknown Device GAM Engine Update Status Error Error Error Error Error Error Error Update device configuration Device Configuration update failed Error This fault indicates that the Sensor is reporting that the alert channel is down, but the physical channel is actually up. Channel is up", Sensor unable to sync time with NSM (error 2)", Sensor unable to generate valid certificate (error 3)" Sensor unable to persist Sensor certificate (error 4)" Sensor fail connecting to NSM (error 5)", Sensor in untrusted connection mode (error 6)", Sensor install connection failed (error 7)", Sensor unable to persist NSM certificate (error 8)", Mutual trust mismatch between Sensor and NSM (error 9) Error in SNMPv3 key exchange (error 10)", Error in initial protocol message exchange (error 11)" Sensor install in progress", Opening packet-log channel in progress", Link error. Attempting to reconnect (error 14)", Packet-log channel reconnect failed (error 15)", Closing packet-log channel in progress", Closing packet-log channel failed (error 17)", Send alert warning (error 18)", Keep alive warning (error 19)" The Manager detects that a particular SSL decryption key is no longer valid. The detailed reason why the fault is occurring is shown in the fault message. These reasons can range from the Sensor re-initializing itself with a different certificate to an inconsistency between the decryption key residing on a primary Sensor and its failover peer Sensor. The Manager cannot obtain the requested file from the peer device, nor can it obtain a saved valid file. Peer IBAC user info file retrieval request from device failed because the IBAC user info file cannot be pushed to the device that requested it. Device <Sensor_name> could not be added to the Manager because the shared secret it provided does not match what was defined for it on the Manager. Device <Sensor_name> could not be added to the Manager because it has not been defined on the Manager. Message is generated by sensor due to failures related to GAM Engine. Device configuration update failed to be pushed from the Manager server to the Sensor. The Sensor will typically recover on its own. If you are receiving alerts with packet logs and your Sensor is otherwise behaving normally, you can ignore this message. Check to see if trust is established between the Sensor and Manager issuing a show command in the Sensor CLI. If this fault persists, contact McAfee Technical Support. Re-import the key (which is identified within the error message). The fault will clear itself when the key is determined to be valid. See log for details. See system log for details. Make sure the shared secret entered on the device CLI matches the one defined within the Manager GUI. (Note: The shared secret is case sensitive.) Make sure the device you would like to add to the Manager has been defined within the Manager GUI before trying to add it via the device CLI. (Note: The device name is case sensitive.) This fault will be cleared on successful update. See the ems.log file to isolate reason for failure. 118 McAfee Network Security Platform 9.1

119 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Device upload scheduler Scheduled callback detector deployment failure Error The Manager was unable to perform the scheduled BOT DAT deployment to the device <Sensor_name>. Indicates that the Manager was unable to perform the scheduled BOT DAT deployment to the Sensor. This is because of network connectivity between the Manager and the Sensor, or an invalid DAT file. This fault clears when an update is sent to the Sensor successfully. Sensor warning faults These are the warning faults for a Sensor device. Fault Severity Description/Cause Action DAT Config is out of sync Device configuration update is in progress Warning The DAT Segments Config update to the device <Sensor_name> failed. The Bot DAT Config file on the failover pair is out of sync as a result. (The Manager will automatically make another attempt to deploy the BOT DAT Config file). Ensure that the Sensor is online and is in good health. The Manager will make another attempt to push the file. The fault will be cleared when the Manager is successful. Warning Device configuration update is in progress. Device configuration update is in progress. Device power up Warning The device has completed booting and is online. Device performance - <CPU Utilization, TCP/UDP Flow Utilization, Port Throughput Utilization, Sensor Throughput Utilization, L2 Error Drop, L3/L4 Error Drop> Warning Network Security Device Performance Monitoring <CPU Utilization, TCP/UDP Flow Utilization, Port Throughput Utilization, Sensor Throughput Utilization, L2 Error Drop, L3/L4 Error Drop> triggered since the <% or empty string> crossed the threshold value with <fallen/risen/been> for <metric_value> band on <Sensor_name>. <Sensor_name> has <fallen/risen/been> to <above/below> <% or empty string> on <Sensor_name>, which is <above/below> the configured <alarm_name_as_configured_by_the_ user> threshold of <threshold_value> <% or empty string>. This message is informational. Acknowledge or delete the fault to clear it. McAfee Network Security Platform

120 5 System fault messages Sensor faults Fault Severity Description/Cause Action Device in high latency mode Warning Device high latency mode is currently <LatencyConflict/LatencyConflictCleared>. (The device will attempt to automatically recover from the high latency condition.) Device high latency mode and Layer 2 bypass mode are currently <LatencyConflict/ LatencyConflictCleared>. (the device will attempt to automatically recover from the high latency condition.) The device will attempt to automatically recover from the high latency condition. Device latency monitoring configuration is conflicting with Layer 2 monitoring configuration Device login failure Device packet capturing terminated Device DNS server connectivity status Physical configuration change Pluggable interface is absent Pluggable interface certification status Sensor resetting due to FIPS mode change SNMP trap received from load balancer Warning Device latency monitoring configuration requires Layer 2 pass-through monitoring to be enabled. Disable moving Sensor to Layer 2 bypass mode on high latency or enable Layer 2 pass-through monitoring. Warning <Console/SSHD> login failure threshold of 3 attempts is exceeded for user name <user_name> from remote IP Address <remote_ip> on remote port <remote_port>. Warning Warning Packet capturing has been stopped during device re-initialization. Please explicitly restart packet capturing, as required. DNS server is <Up and Reachable/Down or Unreachable> from the device. Warning The physical configuration for device < Sensor_name> has changed. A new physical configuration has been discovered. Warning Warning Warning Warning Indicates that the Pluggable interface is absent. Indicates if pluggable connector is McAfee certified or not. This message is informational. Load balancer <load_balancer_name> reported trap type <oid_of_the_mib_object_reported>. Disable moving Sensor to Layer 2 bypass mode on high latency or enable Layer 2 pass-through monitoring. Restart Packet Capture if required. Occurs when the Sensor connects to the Manager with a different physical configuration. Indicates if the pluggable connector is absent in the cage. Indicates if pluggable connector is McAfee certified or not. Message generated based on SNMP trap received from device. 120 McAfee Network Security Platform 9.1

121 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Uninitialized device Warning Device <Sensor_name> is not properly initialized. Device power up Warning The Sensor has just completed booting and is online. Botnet detectors out of sync Pending device license expiration XC Cluster Load balancer port mode change for <port_pair> Load balancer power up Load balancer port fail-over mode change for <port_pair> Load balancer system fail-over mode change Warning The deployment of botnet detectors to the device failed. The botnet detectors on the failover pair are out of sync as a result. The Sensor may have just been rebooted and is not up yet. Wait a few minutes to see if this is the issue; if not, check to ensure that a signature set is present on the Sensor. A resetconfig command may have been issued, and the Sensor not yet been reconfigured. This message is informational. Acknowledge the fault. Ensure that the device is online and is in good health. The Manager will automatically make another attempt to deploy the botnet detectors. The fault will be cleared once the deployment is complete. Warning Device license expires in less than {2} days. Please contact Technical Support or your local reseller. Warning Warning Warning Warning Load balancer <load_balancer_name> reports operating mode for port <port_pair> changed to <Fail-open/Span/Tap/Fail-close>. Load balancer <load_balancer_name> has completed booting and is online. Load balancer <load_balancer_name> reports port <port_name> fail-over mode changed. Load balancer <load_balancer_name> reports fail-over mode change to <Unknown Hunting for peer Stand-alone Primary Secondary Peer device software mismatch> Message generated based on SNMP trap received from load balancer device. This message is informational. Acknowledge or delete the fault to clear it. Message generated based on SNMP trap received from load balancer device. Message generated based on SNMP trap received from load balancer device. McAfee Network Security Platform

122 5 System fault messages Sensor faults Fault Severity Description/Cause Action Load balancer system fail-over status change Warning Load balancer <load_balancer_name> reports fail-over status change to <Unknown Hunting for peer Stand-alone Primary Secondary Peer device software mismatch> Message generated based on SNMP trap received from load balancer device. Load balancer system peer fail-over status change Warning Load balancer <load_balancer_name> reports peer fail-over status change to <Unknown Hunting for peer Message generated based on SNMP trap received from load balancer device. Stand-alone Primary Secondary Peer device software mismatch> Load balancer port load balancing mode change for <port_name> Device IP settings Device reboot required Warning Warning Vulnerability Manager configuration Offline device download in progress Successful offline device download Licensing Pending device license expiration Pending device support license expiration Pending device add-on license expiration Pending device support add-on license expiration Warning Warning Load balancer <load_balancer_name> reports port <port_name> load balancing mode changed to <Good/Bad/Active/ Inactive/Loopback/Rebalance/Spare/ Standby/Standby Failure/Spare Active/Spare Inactive/Spare Failure> The jumbo frame parsing setting on this device has been updated and a reboot is required for the change to take effect. Offline device download has been initiated from the device command line interface. Offline device download has completed with status <successful/failed>. Download type=<sigfile/software/software sigfile combo>, Time=<timestamp>, Filename=<downloaded_file_name> Message generated based on SNMP trap received from load balancer device. Please reboot the device to effect the change. Please wait for offline Sensor download to complete. Please see log messages if download has failed, status code=< Successful/ Failed>. Warning Device license expires in less than <x> days. Please contact Technical Support or your local reseller. Warning Warning Warning Device support license expires in less than <x> days. Device license expires in less than <x> days. Device license expired in less than <x> days. 122 McAfee Network Security Platform 9.1

123 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Pending license expiration for device of type <device_type> Device failover Attempt to disable failover failed Callback detectors out of sync Firewall connection status inconsistent on failover Sensor pair Warning License for this device expires in <x> days. Please contact technical support or your local reseller to renew the License. Warning Warning Warning Cannot disable failover on device <Sensor_name>. The device is offline. (The Manager will make another attempt when the device comes back online.) The deployment of callback detectors to the device <Sensor_name> failed. The callback detectors on the failover pair <Sensor_name1> are out of sync as a result. (The Manager will automatically make another attempt to deploy them.) The firewall connection status on the failover pair <Sensor_peer_name> is inconsistent. This may cause the firewall function to be inconsistent for the pair. Make sure that the Sensor is on-line. The Manager will make another attempt to disable failover when it detects that the Sensor is up. The fault will clear when the Manager is successful. Make sure that the device is online and is in good health. The Manager will automatically make another attempt to deploy the callback detectors. The fault will be cleared once the deployment is complete. Ensure that both Sensors of the failover pair are connected to the firewall and that both Sensors are online and in good health. McAfee Network Security Platform

124 5 System fault messages Sensor faults Fault Severity Description/Cause Action Signature segments out of sync Warning An attempt to update the signature set on both Sensors of a failover pair was unsuccessful for one of the pair, causing the signature sets to be out of sync on the two Sensors. The Manager will make another attempt to automatically push the signature file down to the Sensor on which the update operation failed. Ensure that the Sensor in question is on-line and in good health. The fault will clear when the Manager is successful. If the operation fails a second time, a Signature set download failure fault will be shown as well. Both faults will clear when the signature set is successfully pushed to the Sensor. SSL decryption keys out of sync Temperature Status Signature deployment to device <Sensor_name> failed. The signature segments on failover pair <Sensor_peer_name> are out of sync. (The Manager will automatically make another attempt to deploy the signature.) Warning Ensure that the Sensor is online and in good health. The Manager will make another attempt to push the file down. The fault will clear when the Manager is successful. SSL decryption keys update to device <Sensor_name> failed, and the SSL decryption keys on failover pair <Sensor_peer_name> are out of sync as a result. (The Manager will automatically make another attempt to deploy the new keys.) Ensure that the Sensor is online and in good health. The Manager will make another attempt to push the file down. The fault will clear when the Manager is successful. Warning Inlet Temperature value increased above 44. Check the Fan LEDs in front of the chassis to ensure all internal chassis fans are functioning. This fault will clear when the temperature returns to its normal range. 124 McAfee Network Security Platform 9.1

125 System fault messages Sensor faults 5 Fault Severity Description/Cause Action Signature set Deprecated applications detected in firewall policies Warning The Manager has detected the following use of deprecated applications in firewall policies: <Deprecated Application <app_name> used in Policy <policy_name>/ Rule#<ruleOrderNum> Deprecated Application <app_name> used in Rule Element(of type Application Group) <rule_name>@<policy_name>/rule# <ruleordernum>> These applications must be removed from the firewall policies. Sensor informational faults These are the informational faults for a Sensor device. Fault Severity Description/Cause Action Automatic BOT DAT set deployment in progress BOT DAT deployment in progress Cluster software initialization status Device software or signature set import in progress Device software or signature set download in progress Port pair <port name> is back to In-line Fail-Open Mode Resource mismatch Sensor configuration update in progress Sensor configuration update successful Sensor discovery is in progress Sensor resetting due to FIPS mode change Informational A new BOT DAT set has recently been downloaded from the GTI Server to the Manager and is being deployed to the devices. Informational A new BOT DAT file has recently been downloaded from the GTI Server to the Manager and is being deployed to the devices. Informational Device software has been initialized. Informational A device software image or signature set file is being imported into the Manager. Informational A device software image or signature set file is being downloaded from the McAfee Update Server to the Manager. Informational Indicates that the ports have gone from Bypass Mode back to normal. Informational A configured memory or CPU is lesser than the optimal number Informational A Sensor configuration update is in the process of being pushed from the Manager server to the Sensor. Informational Sensor configuration update successfully pushed from the Manager server to the Sensor. Informational The Manager is attempting to discover the Sensor. Informational An upgrade or downgrade between FIPS and non-fips software images has been detected. This resets the Sensor configuration and restores the default login password. This message is for user information. No action required. This message is for user information. No action required. On initialization failure, check if cluster cross-connects are present as documented. This message is for user information. No action required. This message is for user information. No action required. This message is for user information, no action required. This message is for user information. No action required. This message is for user information. No action required. This message is for user information. No action required. This message is for user information. No action required. This message is informational. McAfee Network Security Platform

126 5 System fault messages Sensor faults Fault Severity Description/Cause Action Sensor software image download failed Sensor swappable port module status for group <G0/G1/G2/G3> Successful automatic callback detectors deployment User login via console after Sensor initialization Licensing Device discovered with license License detected for <Sensor_name> of type Device discovery The <NTBA Appliance/ Sensor>, <device_name> The <NTBA Appliance/ Sensor>, <device_name> discovery in progress Download software Device software image download in progress Device software image download successful Signature download from Manager to sensor is in progress Update device software Device software update is in progress Device software update successful Update device configuration Informational Sensor software image failed to download from the McAfee Update Server to the Manager server. Informational Sensor reports port module <removed/ added> for group <G0/G1/G2/G3>. Sensor reports port module is removed from slot for group <G0/G1/G2/G3>. Sensor reports <NULL/QSFP/SFP> port module inserted into slot for group <G0/G1/G2/G3>. Informational A new callback detector set has recently been downloaded from the GTI Server to the Manager and is being deployed to the devices. Informational Sensor reports user login via console after Sensor initialization. This is a FIPS Level 3 violation. Informational Device <Sensor_name> was discovered with a license that will expire on <date>. Informational License valid until <date>. Informational The Manager is in the process of discovering the device. Informational Device software image is in the process of downloading from the McAfee Update Server to the Manager server. Informational Device software image successfully downloaded from the McAfee Update Server to the Manager server. Informational The Manager is in the process of deploying the latest configuration to the device. This includes new IPS signature sets, botnet detectors, and SSL keys, as applicable. Informational A Sensor software update is in the process of being pushed from the Manager Server to the Sensor. Informational Device software update successfully pushed from the Manager server to Sensor. This message is for user information. No action required. This message generated based on user removing or inserting port module into Sensor slot. This message is for user information, no action required. This message is informational. Renew the license before expires. Renew the license before it expires. Wait for the discovery of the device to complete. This message is for user information. No action required. This message is for user information. No action required. This message is informational. This message is for user information. No action required. This message is for user information. No action required. 126 McAfee Network Security Platform 9.1

127 System fault messages NTBA faults 5 Fault Severity Description/Cause Action Device configuration deployment in progress Device configuration deployment successful Signature set Device software, IPS signature set, or callback detectors import in progress Device software, IPS signature set, or callback detectors download in progress Informational The Manager is in the process of deploying the latest configuration to the device. This includes new IPS signature sets, botnet detectors, and SSL keys, as applicable. Informational The Manager successfully deployed the latest configuration to device <Sensor_name>. This includes new IPS signature sets, callback detectors, and SSL keys, as applicable. Informational A device software, IPS signature set, or callback detectors file is being imported into the Manager. Informational A device software, IPS signature set, or callback detectors file is being downloaded from the McAfee Update Server to the Manager. This message is informational. This message is informational. This message is informational. This message is informational. NTBA faults The NTBA faults can be classified into critical, error, warning, and informational. The Action column provides you with troubleshooting tips. NTBA critical faults These are the critical faults for a NTBA device. Fault Severity Description/Cause Action BOT DAT file download failure Endpoint Intelligence Service is down The Manager cannot push the BOT DAT file to device <Sensor_name> Endpoint Intelligence Service has not started as the epo server is not reachable. Endpoint Intelligence Service has not started as the epo extension does not support auto-signing service. Endpoint Intelligence Service has not started because of authentication error connecting to the epo server. Endpoint Intelligence Service has not started because of due to internal error from the epo server. Endpoint Intelligence Service has not started because of unexpected errors. Occurs when the Manager cannot push the BOT DAT file to the Sensor. Could result from the network connectivity issue. Please make sure that the epo server is up and running and is reachable to NTBA. Make sure that the epo server supports epo Auto Signing functionality(change on Name confirmation). Please provide valid epo Server credentials. epo server responded error, please look at the epo logs. Please look at the epo server and NTBA logs for the error. Please try again. McAfee Network Security Platform

128 5 System fault messages NTBA faults Fault Severity Description/Cause Action Link failure of <Appliance name> NTBA Public keydownload failure NTBA Appliance unreachable Endpoint Intelligence Service has not started due to corrupt certificate. Endpoint Intelligence Service has not started because of the configured port for Endpoint Intelligence Service is already in use. The link between this port and the device to which it is connected is down, and communication is unavailable. Cannot push NTBA Public keyfile to device <Sensor_name> A command channel ping failed to NTBA Appliance <Appliance name> failed. The device is unreachable through its command channel. Certificate invalid, please retry saving again. This port is already in use; please configure an unused port. This is a connectivity issue. Contact your IT department to troubleshoot network connectivity. This fault clears when communication is re-established. Occurs when the Manager cannot push the NTBA Public key file to the Sensor. Could result from the network connectivity issue. Indicates that the NTBA cannot communicate with the Manager: the connection between the NTBA and the Manager is down, or the NTBA has been administratively disconnected. Troubleshoot connectivity issues: 1) check that a connection route exists between the Manager and the NTBA; 2) check the NTBA s status using the status command in the NTBA command line interface, or ping the NTBA or the NTBA gateway to ensure connectivity to the NTBA. This fault clears when the Manager detects the NTBA again. NTBA error faults These are the error faults for a NTBA device. Fault Severity Description/Cause Action Device Configuration update failed Scheduled BOT DAT file deployment failed GAME configuration Error Error Device configuration update failed to be pushed from the Manager server to the Sensor. The Manager was unable to perform the scheduled Bot DAT deployment to the device <Sensor_name>. See the ems.log file to isolate reason for failure. Indicates that the Manager was unable to perform the scheduled Bot DAT deployment to the Sensor. This is because of network connectivity between the Manager and the Sensor, or an invalid DAT file. This fault clears when an update is sent to the Sensor successfully. NTBA <GAME Error> Error <GAME Error> Please re-check the NTBA GAME configuration. System related 128 McAfee Network Security Platform 9.1

129 System fault messages NTBA faults 5 Fault Severity Description/Cause Action NTBA Configuration Update Error Error Sigfile parsing failed."; Sigfile parsing failed in zone segment."; Sigfile parsing failed in communication rules segment."; Sigfile parsing failed in service segment."; Sigfile parsing failed in anomaly segment."; Sigfile parsing failed in reconnaissance segment."; Sigfile parsing failed in FFT segment."; Sigfile parsing failed in NBA segment."; Sigfile parsing failed in worm segment."; Sigfile parsing failed in policy segment."; Sigfile parsing failed in pre-processing segment."; Sigfile parsing failed in application profile segment."; Sigfile parsing error."; Please retry the NTBA configuration update. NTBA Sigset Mismatch Error Error There has been a mismatch between the NTBA version <tba_sw_version> and the sigset version <sigset_version>. NSM will now try to automatically push the appropriate matching sigset. Please check for the status of the follow-up NTBA configuration update. NTBA Zone Configuration Event Error Invalid interface or zone configuration. All the zones configured are <Outside/Inside>. <Netflow processing will not work till this configuration is fixed. GTI reputation is not retrieved for internal hosts>. Please verify the zone configuration in NTBA. Storage server NTBA <Storage Server Error Storage Server Not Reachable Storage Server Permission Denied Storage Server Limit Reached 50% Storage Server Limit Reached 75% Error <Storage Server Error Storage Server Not Reachable Storage Server Permission Denied Storage Server Limit Reached 50% Storage Server Limit Reached 75% Backup Storage File Corrupted Storage Server Limit Exhausted> Please re-check the Storage Service Configuration. Backup Storage File Corrupted Storage Server Limit Exhausted> TrustedSource NTBA <TrustedSource Error> Error <TrustedSource Error> Please re-check the TrustedSource configuration. McAfee Network Security Platform

130 5 System fault messages NTBA faults NTBA warning faults These are the warning faults for a NTBA device. Fault Severity Description/Cause Action DAT Config is out of sync This Release of NSM supports only one instance of NTBA vm. Uninitialized device Warning Warning Warning The DAT Segments Config update to the device <Sensor_name> failed. The Bot DAT Config file on the failover pair is out of sync as a result. (The Manager will automatically make another attempt to deploy the BOT DAT Config file). The NTBA <NTBA_Appliance_name> is not discovered because of exceeding the max of supported instances of NTBA virtual machines. Device <Sensor_name> is not properly initialized. Ensure that the Sensor is online and is in good health. The Manager will make another attempt to push the file. The fault will be cleared when the Manager is successful. Please delete the device from ism GUI The Sensor may have just been rebooted and is not up yet. Wait a few minutes to see if this is the issue; if not, check to ensure that a signature set is present on the Sensor. A resetconfig command may have been issued, and the Sensor not yet been reconfigured. NTBA informational faults These are the informational faults for a NTBA device. Fault Severity Description/Cause Action Automatic BOT DAT set deployment in progress BOT DAT deployment in progress Interface change NTBA database pruning Successful automatic BOT DAT set deployment Successful scheduled BOT DAT set deployment Informational A new BOT DAT set has recently been downloaded from the GTI Server to the Manager and is being deployed to the devices. Informational A new BOT DAT file has recently been downloaded from the GTI Server to the Manager and is being deployed to the devices. Informational During startup, the NTBA identifies changes(addition or removal) in the interface count. Informational Current database usage: <percentage_value>% Informational A new BOT DAT set has recently been downloaded from the GTI Server to the Manager and is being deployed to the devices. Informational A new BOT DAT file has recently been downloaded from the GTI Server to the Manager and is being deployed to the devices. This message is for user information. No action required. This message is for user information. No action required. This message is for user information. No action required. NTBA Database Pruning threshold notification. This message is for user information, no action required. This message is for user information, no action required. 130 McAfee Network Security Platform 9.1

131 System fault messages NTBA faults 5 Fault Severity Description/Cause Action The <NTBA Appliance/ Sensor>, <device_name> The <NTBA Appliance/ Sensor>, <device_name> discovery in progress NTBA Network Forensic data pruning Informational The Manager is in the process of discovering the device. Informational This is NTBA Database Pruning threshold notification. Wait for the discovery of the device to complete. This message is informational. McAfee Network Security Platform

132 5 System fault messages NTBA faults 132 McAfee Network Security Platform 9.1

133 6 Error messages This section lists the error messages displayed in McAfee Network Security Manager (Manager). Contents Error messages for RADIUS servers Error messages for LDAP server Error messages for RADIUS servers The table lists the error messages displayed in the Manager. Error Name Description/Cause Action RADIUS Connection Successful RADIUS server is up and running RADIUS server is up and running RADIUS Connection Failed Network failure, congestion at servers or RADIUS server not available Try after sometime, check IP address and Shared Secret key No RADIUS server configured No server available Configure at least one RADIUS server Server with IP address and port already exists for RADIUS server RADIUS server host IP address/host name is required Shared Secret key is unique in case of RADIUS server RADIUS server host IP address/host name cannot be resolved as entered IP address and port connection not unique Field cannot be blank Field cannot be blank Invalid host name /IP address The table lists the error messages displayed in the User Activity Audit report. Use a different IP address and port number Enter a valid host name /IP address Enter a valid host name /IP address Enter a valid host name /IP address Error Name Description/Cause Error Type RADIUS Authentication User <user name> with login Id <login Id> failed to authenticate to RADIUS server <RADIUS server host name /IP address> on port <port number> due to server timeout/ network failure Add Radius Server Edit RADIUS server Delete RADIUS server Added RADIUS server IP Address/Host <IP address or host name>, port <port number> enable <Yes/No> IP Address/Host <IP address or host name> set port <port number>,set Enabled <Yes/No> Deleted RADIUS Server IP Address/Host <IP address or host name>, port <port number> User Manager Manager Manager McAfee Network Security Platform

134 6 Error messages Error messages for LDAP server Error messages for LDAP server The table lists the error messages displayed in the Manager. Error Name Description/Cause Action Server with IP address and port already exists for LDAP server LDAP server host IP address/host name is required LDAP server host IP address/host name cannot be resolved as entered IP address and port connection not unique Field cannot be blank Invalid host name /IP address Use a different IP address and port number Enter a valid host name /IP address Enter a valid host name /IP address LDAP Connection Successful LDAP server is up and running LDAP server is up and running LDAP Connection Failed Network failure, congestion at servers or LDAP server not available Try after sometime, check IP address No LDAP server configured No server available Configure at least one LDAP server The table lists the error messages displayed in the User Activity Audit report. Error Name Description/Cause Error Type LDAP Authentication User <user name> with login Id <login Id> failed to authenticate to LDAP server <LDAP server host name /IP address> on port <port number> due to server timeout/ network failure. Add LDAP server Edit LDAP server Delete LDAP server Added LDAP server IP Address/Host <IP address or host name>, port <port number>, enable <Yes/No> IP Address/Host <IP address or host name> set port <port number>,set Enabled <Yes/No> Deleted LDAP Server IP Address/Host <IP address or host name", port<port number> User Manager Manager Manager 134 McAfee Network Security Platform 9.1

135 7 7 Troubleshooting scenarios Contents Network outage due to unresolved ARP traffic Delay in alerts between the Sensor and Manager Sensor-Manager Connectivity Issues Wrong country name in IPS alerts Wrong country name in ACL alerts Network outage due to unresolved ARP traffic Scenario Sudden outage in the network due to unresolved ARP traffic. Applicable to Sensor models: M-series, NS-series Sensor software version: 8.1, 8.3, 9.1 Problem type to be solved Resolve the ARP traffic which is dropped by the Sensor due to heuristic web application server protection configuration setting. Data/Information Collection 1 Check if the attack ARP MAC Address Flip-Flop is disabled from the policy. Go to Policy Intrusion Prevention Policy Types IPS Policies. Click on Default Prevention listed in IPS Policies name column. Check the policy on the entire device interfaces and make sure ARP flip flop alert is either disabled or not included in the policy on the entire device interfaces. McAfee Network Security Platform

136 7 Troubleshooting scenarios Network outage due to unresolved ARP traffic 2 Check if the Heuristic Web Application Server Protection is enabled. Go to Policy Intrusion Prevention Policy Types Inspection Options Policies. Click on <Policy Name> listed in Inspection Options Policies. Check each interface of the device individually. 3 Check if ARP spoofing is enabled on the Sensor. Use the command show arp spoof status. Explanation When heuristic web application server protection is enabled, the Manager caching is disabled and only selected attacks are pushed to the Sensor. If the MAC Flip-Flop attack is not part of the attacks chosen by the user, the Sensor drops the ARP packets. This happens in scenarios such as: Assignment of dynamic MAC address in the network (vmac) For the firewall in failover mode which uses the Virtual MAC address, the IP address remains the same but the MAC address will change Troubleshooting Steps 1 Disable ARP spoofing on the Sensor. Use the command arp spoof to disable ARP spoofing. 2 Disable Heuristic Web Application Server Protection on the device s individual interfaces. If the problem still persists, contact McAfee Support for further assistance. 136 McAfee Network Security Platform 9.1

137 Troubleshooting scenarios Delay in alerts between the Sensor and Manager 7 Delay in alerts between the Sensor and Manager Scenario Delay in receiving the Sensor alerts on the Manager. Applicable to Sensor models: M-series, NS-series Sensor software versions: 8.1, 8.3, 9.1 Problem type to be solved Delay in the Sensor alerts being sent to the Manager Sensor alerts are not seen in real time on the Manager Time lag in sending the Sensor alerts to the Manager Data/Information Collection 1 Execute the following commands on the Sensor : status (execute 5 times in 10 seconds duration) show sensor-load (execute 5 times in 10 seconds duration) getccstats (execute 5 times in 10 seconds duration) Also execute the same commands on a similar model Sensor, which does not have the issue. 2 Collect graphs for Sensor throughput utilization and port utilization. 3 Collect the attack csv file for this Sensor from the Attack Log page. 4 Collect the alert archival for the last 24 hour time duration. 5 Retrieve the configuration backup of the Manager. 6 Create/collect the network diagram that clearly indicates where the Sensor and the Manager are located. Troubleshooting steps 1 Check if there are any network connectivity issues or any delay in the network. If there is a delay in the network between the Sensor and the Manager, it can lead to low alert rates. 2 Verify that the entire link between the Sensor management port and the Manager is 1G auto, and they are using the correct CAT6 cables. 3 Check if the other Sensors connected to the same the Manager are also facing this issue. If yes then it is a Manager issue. 4 Check the Sensor policy being used. If the Default Testing or Default Exclude Informational is used, the Sensor processes more alerts and hence alert generation rate increases. Switching to Default Prevention policy can help resolve the delay issue sometimes. 5 Check if there are any saved alerts/packetlogs on the Sensor. Command: show savedalertinfo 6 Check if there is any specific category of alerts, which is delayed or all the alerts are delayed. Also check if the system events that are being raised, are also delayed. McAfee Network Security Platform

138 7 Troubleshooting scenarios Delay in alerts between the Sensor and Manager 7 Check if the alerts are seen in the Attack Log page as the alerts are restored here from the database. This check will confirm if the issue is on the database or cache. Check the database size and if it is very high, purge and tune the database. 8 Check the time on the Sensor and if it matches with the Manager system time. If there is any issue with the time stamp, the Manager may show the wrong timestamp in the Attack Log page, which can incorrectly appear as alerts being delayed. 9 Check the rate of alert generated/detected by the Sensor using the following command: getccstats: To check the status of control/alert channel (to the Manager) To check the alert suppression/throttling configuration status and suppression intervals To check the sensor failover action (1 = Enabled, 2 = Disabled) and failover status (1 = Active, 2 = Standby, 3 = Init/Not Applicable), failover peer status (1 = Up, 2 = Down, 3 = Incompatible, 4 = Compatible, 5 = Init/Not Applicable), fail-open status (1 = Enabled, 2 = Disabled) To check the count of detected alerts (signature-based, scan/recon, DoS) sent to management port and peer Manager (in case of MDR) To check the count of throttled alerts To check the count of alerts sent to and received from Correlation Engine, alert correlation counts To check the count of alerts in ring buffer, queued to be sent to the Manager To check ACL alerts throttling configuration status (throttling interval and threshold) To check the count of throttled ACL alerts (IPS) To check the Sensor reboot count and/or alert wrap count The following statistics indicate many alerts still pending in ring buffer: AlertsInRngBufPriCount = AlertsInRngBufSecCount = PutAlertInRngBufErrCount = The alert rate could be really high that the Manager may not be able to handle. It then introduces a delay that is similar to backoff (with the delay reaching a max of 30 seconds per alert) and this causes the alerts to be queued up in Ring Buffer. Once this condition is reached, the alerts delay will increase with time. To recover, check the type of attacks and then try to create an exception rule to filter the attack, and see if the Manager recovers. 138 McAfee Network Security Platform 9.1

139 Troubleshooting scenarios Delay in alerts between the Sensor and Manager 7 10 Take the packet captures at the Sensor and the Manager side to identify whether the issue is at the Sensor/ Manager side or network side. On the Manager, use Wireshark or equivalent to take packet captures on the Manager port Sample packet capture on the Sensor: Sample packet capture on the Manager: Using packet captures from the Sensor and the Manager, which are taken simultaneously, you can identify if there is a delay in the Sensor sending the alert to the Manager or there is a delay in the Manager sending the alert acknowledgment to the Sensor or is it both (pointing to a network issue). 11 Check if Layer 7 Data Collection is enabled on the Sensor. There is a known issue when Layer 7 Data Collection is enabled, where the alerts in the Attack Log page are no longer received in real time. IntruDbg#> show l7dcap-usage Layer-7 Dcap Buffers Allocated at Init Layer-7 Dcap Buffers Available now Layer-7 Dcap Buffers Alloc Errors 0 Layer-7 Dcap Alert Buffers Allocated Layer-7 Dcap Alert Buffers Available Layer-7 Dcap Alert Buffers Allocate Error 0 Layer-7 Dcap Regular Alert's Sent 0 Layer-7 Dcap Special Alert's sent 0 Layer-7 Dcap Context End Alert's Sent 0 Layer-7 Dcap CB InActive when DCAP Called 0 Layer-7 Dcap Ring Buffer Errors 0 Alert Ring Buffer Full Cnt 0 Num Alerts Dropped at Sensors 0 Layer-7 Dcap Fifo Check Seen 0 McAfee Network Security Platform

140 7 Troubleshooting scenarios Sensor-Manager Connectivity Issues 12 On the Manager database, use SQL queries output to check the frequency of alerts going to the Manager. This can be done by logging into MySQL on the Manager server and executing the following command: a Get Sensor ID from database: select sensor_id, name from iv_sensor; b c d Input the time range for which the alert generation rate needs to be checked: SELECT " :39:47", " Total Attacks for Sensor ID and the time range: SELECT sensorid,count(*) atcount FROM iv_alert WHERE creationtime GROUP BY sensorid ORDER BY atcount; Total packetlog for Sensor ID and time range: SELECT sensorid,count(*) pktcount FROM iv_packetlog WHERE (creationtime AND sensorid=<id of problematic sensor> GROUP BY sensorid ORDER BY pktcount; If the problem still persists, contact McAfee Support for further assistance. Sensor-Manager Connectivity Issues Scenario Connectivity issues between the Sensor and Manager. Applicable to Sensor models: M-series, NS-series Sensor software versions: 8.1, 8.3, 9.1 Problems type to be solved Sensor is not detected on the Manager. Trust establishment does not happen between the Sensor and Manager. Data/Information Collection 1 Execute the following commands on the Sensor: status show show sbcfg show mgmtcfg show doscfg show mgmtport getccstats show netstat checkmanagerconnectivity (applicable only to Sensor software 8.1 and above) 140 McAfee Network Security Platform 9.1

141 Troubleshooting scenarios Sensor-Manager Connectivity Issues 7 2 Collect the Manager infocollector logs. If possible, enable detailed debugging messages by modifying <Manager_INSTALL_DIR>/config/log4j_ism.xmlfile, by adding/changing the following lines: <category name="iv.core.discoveryservice"> <priority value="debug"/></category> <category name="iv.core.sensorconfiguration"> <priority value="debug"/></category> 3 Collect the Sensor trace files. 4 Collect packet capture at the Manager (for the problematic Sensor). 5 Network diagram clearly mentioning where the Sensor and Manager are located. Troubleshooting Steps 1 Check if there is any network connectivity issue such as conflicting IP address of the Sensor. This can result in alert/pktlog channel flaps. 2 Verify that the Management Interface speed and duplex settings are configured correctly on the Manager and Sensor and that they are hard-coded. If this fails, change one link to auto and change the other side's duplex and speed settings until communications are established or combinations are exhausted. 3 Ping from the Sensor to Manager and Manager to Sensor, and make sure the ping goes fine. 4 Check if the other Sensors connected to the same Manager are also facing this issue. If yes, then it is a Manager issue. 5 Check the IP address of the system on which the Manager is installed. Make sure the correct IP address is provided in the Sensor command set manager ip. 6 Try a deinstall and establish the trust again with the Manager. 7 Check if the Manager machine has multiple NIC cards. If yes then open below file: <Manager_INSTALL_DIR>/bin/tms.bat Modify the following line to assign the relevant IP address that is also used in the Sensor configuration: set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPIPaddress=""restart Manager 8 Check the Sensor name, which is given on the Manager while adding the Sensor using the Add New Device wizard. Sensor name is case sensitive so make sure it exactly matches the one given on the Manager. 9 Check that the device type is selected as IPS Sensor while adding the Sensor using Add New Device. Selecting incorrect device type can also lead to connectivity issues. 10 Make sure that firewall is not blocking traffic between the Manager and Sensor for the following ports : Manager:4167 -> Sensor:8500 (UDP) Sensor:Any -> Manager: ,8510 (TCP) for 1024-bit trusts Sensor:Any -> Manager:8504, (TCP) for 2048-bit trusts 11 If using the malware policy, check if the file save option is enabled. Make sure firewall is not blocking ports 8509 and 8510, which are used for saving malware files. 12 Check that UDP port 8500 is open and allows the Manager to Sensor SNMP communication. 13 Use the netstat -na command to verify that ports are listening on the Manager. Click Start Run type cmd, press ENTER, then type netstat -na. McAfee Network Security Platform

142 7 Troubleshooting scenarios Wrong country name in IPS alerts 14 Make sure large UDP and/or fragmented UDP packets are not dropped between the Sensor and Manager communication. This can lead to SNMP timeout. Look for the following logs in ems.log: Ems log ****** :47:29,150 INFO [Thread-135] iv.core.sensorconfiguration - M1450 Experience a SNMP error during set/get, Change the STATUS to DISCCONECTED :47:29,163 ERROR [Thread-135] iv.core.sensorconfiguration - Fail to process SNMP return node: com.intruvert.ext.sensorconfig.leap.sensorconfigexception: Time Out 15 Capture UDP traffic using Wireshark on the Manager. Check if the Manager is receiving UDP response packets from the Sensor. Sample capture on the Manager: 16 Check the time on the Sensor, and if it matches with the Manager system time. 17 Check if there are any Out Of Memory related logs in the Manager. This can lead to connectivity issues between the Sensor and Manager. 18 Check if the Manager is an MDR pair. If yes, then verify that the IP of primary Manager in the sensor matches the IP of the active Manager. Also check if the Sensor is treating the standby Manager as the primary Manager or not. This may lead to connectivity issues. If the problem still persists, contact McAfee Support for further assistance. Wrong country name in IPS alerts Scenario To find the root cause of cases for IPS alerts in the Attack Log page that shows wrong country name for Attacker and Target. Applicable to Sensor models: M-series, NS-series Sensor software versions: 8.1, 8.3, 9.1 Problems type to be solved The Attack Log page displays wrong country name for source or destination IP address for an IPS alert. 142 McAfee Network Security Platform 9.1

143 Troubleshooting scenarios Wrong country name in IPS alerts 7 Troubleshooting Steps 1 Check for IP address in maxmind.com to find the geographic location for a particular IP address. If the IP address does not match the geographic location, then it is an issue with the Manager or the geographic database in the cloud. 2 Login to the Sensor with admin ID, and then in the Sensor CLI, type the debug command and then enter the following command: set loglevel mgmt (all <0-12>) <0-15> To disable logging, execute set loglevel mgmt 0 0. ug 28 06:36:16 localhost tl: DBG2 ctrlch postalertdatatosyslogviewer: syslog msg len 174, data <36>Aug 28 06:36:16 GMT mil-ips-01 AlertLog: mil-ips-01 detected Outbound attack HTTP: IIS3 ASP dot2e (severity = Medium) : > :80 (result = Inconclusive) Aug 28 06:36:16 localhost tl: DBG0 ctrlch alerttransmittedcountupdate: IN Aug 28 06:36:16 localhost tl: DBG0 ctrlch alerttransmittedcountupdate: msgid is (335) Aug 28 06:36:16 localhost tl: DBG0 ctrlch alerttransmittedcountupdate: EXIT Aug 28 06:36:16 localhost tl: DBG0 ctrlch CCout(0) processctrlchanalerts Id:335 (baseid: ) Aug 28 06:36:16 localhost tl: DBG0 ctrlch -out-begin Mobile SIGNATURE(335), size(565) Aug 28 06:36:16 localhost tl: DBG0 ctrlch Attack Id = Aug 28 06:36:16 localhost tl: DBG0 ctrlch Syslog Attack Id = Aug 28 06:36:16 localhost tl: DBG0 ctrlch Time Stamp = Aug 28 06:36:16 localhost tl: DBG0 ctrlch Alert Count = 1 Aug 28 06:36:16 localhost tl: DBG0 ctrlch VIDS Id = 2030 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Syslog VIDS Id = 4 Aug 28 06:36:16 localhost tl: DBG0 ctrlch VLAN Id = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Alert Duration = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Log ID = Aug 28 06:36:16 localhost tl: DBG0 ctrlch Slot Id = 2 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Port Id = 25 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Protocol Id = 16 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Qualifier 1 = 1 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Qualifier 2 = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Src IP = 0x Aug 28 06:36:16 localhost tl: DBG0 ctrlch Dstn IP = 0x Aug 28 06:36:16 localhost tl: DBG0 ctrlch Request LastByte Offset = ffffffff McAfee Network Security Platform

144 7 Troubleshooting scenarios Wrong country name in IPS alerts Aug 28 06:36:16 localhost tl: DBG0 ctrlch Response LastByte Offset = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Attack Pkt Search Num = 1 Aug 28 06:36:16 localhost tl: DBG0 ctrlch SrcPort = Aug 28 06:36:16 localhost tl: DBG0 ctrlch DstnPort = 80 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Protocol = 6 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Signature Id = 226 Aug 28 06:36:16 localhost tl: DBG0 ctrlch PP State = 14 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Prev Stream Flag = 1 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Frag Flag = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Corr Flag = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Inside = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch SuppressedSigId Bits = 1 Aug 28 06:36:16 localhost tl: DBG0 ctrlch inline Drop = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch ReCfg Firewall = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch flags = 40 Aug 28 06:36:16 localhost tl: DBG0 ctrlch mpeflags = 8 Aug 28 06:36:16 localhost tl: DBG0 ctrlch appid = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch normalize reputation = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch normalize geolocation = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch xff ip direction= 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch mobileflags = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch devprof Src deviceinfo = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch devprof Src conflevel = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch devprof Src osinfo = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch devprof Src detectsrctype = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch devprof Dst deviceinfo = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch devprof Dst conflevel = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch devprof Dst osinfo = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch devprof Dst detectsrctype = 0 Aug 28 06:36:16 localhost tl: DBG0 ctrlch Aug 28 06:36:16 localhost tl: DBG0 ctrlch 64-bit Uid = a a be 8a d3 57. Aug 28 06:36:16 localhost tl: DBG0 ctrlch id: 335, msgtype: McAfee Network Security Platform 9.1

145 Troubleshooting scenarios Wrong country name in ACL alerts 7 Aug 28 06:36:16 localhost tl: DBG0 ctrlch processsigalertmsg - recfgfw mask = 0x0 Here geographic ID of 0 means that the Sensor does not send any geographic information for the corresponding source or destination IP addresses. 3 Execute step 2 and wait for the IPS alert to be raised again. This time the Sensor prints the country code sent from Sensor for the corresponding IPS alert. If the Sensor sends the geographic location ID as 0, then it s an issue with the geographic database cloud when the Manager sends a geographic based query to find the geographic location matching an IP address. Typically for an IPS alert, the Sensor does not send any geographic location ID value. If the problem still persists, contact McAfee Support for further assistance. When a wrong country name is displayed for the source or destination IP address for an IPS alert, then it is an issue with the Manager. Wrong country name in ACL alerts Scenario Wrong country name appears in ACL alerts/acl logs. Applicable to Sensor models: M-series Sensor software version: 8.1, 8.3, 9.1 Problem type to be solved Wrong country name is displayed in the ACL alerts/acl logs when forwarded to third party software either from the Sensor or from the Manager. Data/Information Collection Execute show acl stats in the Sensor CLI. Troubleshooting Steps Execute the show acl stats command in the Sensor CLI to fetch the following data from the management process: Number of ACL alerts sent by the datapath processor to the management processor Number of ACL alerts sent from the management processor to the Manager or third party software tool. If there is difference between the received and sent/sent directly count by a large value but within 10,000, then the buffer to keep the ACL alerts at management processor is full. This might potentially be the cause for the issue. intrushell@mil-ips-01> show acl stats [Acl Alerts] Received : 0 Suppressed : 0 Sent : 0 McAfee Network Security Platform

146 7 Troubleshooting scenarios Wrong country name in ACL alerts Sent Direct : 0 Stateless ACL Fwd count : 0 The buffer kept for receiving the ACL alerts from datapath processor is full, and is not flushed in an event like ACL alert suppression disabled/enabled. In this type of scenario, if the ACL alert buffer is not flushed, then the country name for the old ACL alert is mixed with the new ACL alert, which results in the wrong country name in the ACL logs. If the country name is displayed wrong in the ACL alert, for either source IP address or destination IP address, then there is an issue with the Sensor. If you are not able to solve the problem even after repeating the steps explained in troubleshooting, or the problem is not understood, contact McAfee Support for further assistance. 146 McAfee Network Security Platform 9.1

147 8 Using 8 the InfoCollector tool This section describes the following aspects of using the Infocollector tool. Contents Introduction How to run the InfoCollector tool Using InfoCollector tool Introduction InfoCollector is an information collection tool, bundled with Manager that allows you to easily provide McAfee with McAfee Network Security Platform-related log information. McAfee can use this information to investigate and diagnose issues you may be experiencing with the Manager. InfoCollector can collect information from the following sources within McAfee Network Security Platform: Information Type Ems.log Files Description Configurable logs containing information from various components of the Manager. The current ems.log file is renamed when its size reaches 3MB, using the current timestamp. Another ems.log is created to collect the latest log information. Configuration backup A collection of database information containing all Network Security Platform configuration information. Configuration files Fault log Sensor Trace Compiled Signature XML and property files within the Network Security Platform config directory. A table in the Network Security Platform database that contains generated fault log messages. A file containing various McAfee Network Security Sensor(Sensor)-related log files. A file containing signature information and policy configuration for a given Sensor. InfoCollector is a tool that can be used both by you and by McAfee. McAfee systems engineers can use the InfoCollector tool to provide you with a definition (.def) file via . This file is configured by McAfee to automatically choose information that McAfee needs from your installation of Network Security Platform. You simply open the definition file within the InfoCollector and it will automatically select the information that McAfee needs from your installation of the Manager. Alternatively, a manual approach can also be used with InfoCollector, and you can select information yourself to provide to McAfee. For example, McAfee may ask you to select checkboxes that correspond to different sets of information available within Network Security Platform. McAfee Network Security Platform

148 8 Using the InfoCollector tool How to run the InfoCollector tool How to run the InfoCollector tool To run InfoCollector, follow the following steps: 1 Access the following location within the Manager installation directory: C:\[Network Security Manager_INSTALL_DIR]\App\diag\InfoCollector 2 Run infocollector.bat Using InfoCollector tool To use InfoCollector, follow these steps: Task 1 After you run InfoCollector, do one of the following: If McAfee provides you with a definition file: a After you run InfoCollector, open the File menu and click Open Definition. Figure 8-1 Navigating to Open Definition option b Select the definition file that McAfee sent you via and click Select. If McAfee instructs you to select InfoCollector checkboxes: a b After you run InfoCollector, select the checkboxes as instructed by McAfee. Select a Duration. Select Date to specify a start and end date, or select Last X Days. 148 McAfee Network Security Platform 9.1