Network Security Platform 8.3 Troubleshooting Guide

Network Security Platform 8.3 Troubleshooting Guide
Troubleshooting Guide
Revision C
McAfee Network Security Platform 8.3
COPYRIGHT
© 2016 Intel Corporation
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Network Security Platform 8.3
Troubleshooting Guide
Contents
1
Preface
5
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
5
5
6
Troubleshooting Sensor issues
7
NS-series Sensors CRUs and FRUs . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Fans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
IO Module Cards (Except NS3x00 and NS5x00) . . . . . . . . . . . . . . . . . . . 9
FRUs - Field Replaceable Units . . . . . . . . . . . . . . . . . . . . . . . . . . 9
SSDs (NS9x00) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
SSD#1 goes to bad status . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Orange Beach Cards (NS9x00 series only) . . . . . . . . . . . . . . . . . . . . 13
Lspci output for NIC devices . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Lspci output for crypto devices . . . . . . . . . . . . . . . . . . . . . . . . . 14
View diagnostic and system information for NS-series Sensors . . . . . . . . . . . . . . .
16
Lspci for NS-series Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
M-series Sensor replacement for defective I-series Sensors . . . . . . . . . . . . . . . . . 18
Check XLRs for M-series Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Sibytes for I-series Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
20
Check for monitoring ports failure . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Check for management ports failure . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Check for console port failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Check for Sensor LED or fan failure . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Check power supply in the Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Check for flash corruption in the Sensor . . . . . . . . . . . . . . . . . . . . . . . .
23
Perform flash recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
Cache and memory errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Verify passive fail-open connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Tasks suspended on Sibytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2
Performance issues
27
Sniffer trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Data link errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Half-duplex setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Full-duplex setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3
Determine false positives
Reduce false positives . . . . . . . . . .
Tune your policies . . . . . . . . . . . .
False positives and noise . . . . . .
Determine a false positive versus noise
McAfee Network Security Platform 8.3
29
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
.
. .
. .
29
29
30
31
Troubleshooting Guide
3
Contents
4
System fault messages
33
Manager faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manager critical faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manager error faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manager warning faults . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manager informational faults . . . . . . . . . . . . . . . . . . . . . . . . . .
Sensor faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sensor critical faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sensor error faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sensor warning faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sensor informational faults . . . . . . . . . . . . . . . . . . . . . . . . . . .
NTBA faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NTBA critical faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NTBA error faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NTBA warning faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NTBA informational faults . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Error messages
33
33
47
52
54
64
64
75
80
86
88
88
90
91
92
93
Error messages for RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Error messages for LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6
7
Troubleshooting scenarios
95
Network outage due to unresolved ARP traffic . . . . . . . . . . . . . . . . . . . . . .
Delay in alerts between the Sensor and Manager . . . . . . . . . . . . . . . . . . . .
Sensor-Manager Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . . .
Wrong country name in IPS alerts . . . . . . . . . . . . . . . . . . . . . . . . . .
Wrong country name in ACL alerts . . . . . . . . . . . . . . . . . . . . . . . . . .
95
. 96
100
102
105
Using the InfoCollector tool
107
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
How to run the InfoCollector tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Using InfoCollector tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
8
Automatically restarting a failed Manager with Manager Watchdog
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How the Manager Watchdog works . . . . . . . . . . . . . . . . . . . . . . . . . .
Install the Manager Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Start the Manager Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use the Manager Watchdog with Manager in an MDR configuration . . . . . . . . . . . . .
Track the Manager Watchdog activities . . . . . . . . . . . . . . . . . . . . . . . .
9
4
111
111
111
112
112
112
112
Utilize of the McAfee KnowledgeBase
115
Index
117
McAfee Network Security Platform 8.3
Troubleshooting Guide
Preface
This guide provides the information you need to configure, use, and maintain your McAfee product.
Contents
About this guide
Find product documentation
About this guide
This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
•
Administrators — People who implement and enforce the company's security program.
•
Users — People who use the computer where the software is running and can access some or all of
its features.
Conventions
This guide uses these typographical conventions and icons.
Book title, term,
emphasis
Title of a book, chapter, or topic; a new term; emphasis.
Bold
Text that is strongly emphasized.
User input, code,
message
Commands and other text that the user types; a code sample; a displayed
message.
Interface text
Words from the product interface like options, menus, buttons, and dialog
boxes.
Hypertext blue
A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing an
option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system,
software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware
product.
McAfee Network Security Platform 8.3
Troubleshooting Guide
5
Preface
Find product documentation
Find product documentation
On the ServicePortal, you can find information about a released product, including product
documentation, technical articles, and more.
Task
6
1
Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2
In the Knowledge Base pane under Content Source, click Product Documentation.
3
Select a product and version, then click Search to display a list of documents.
McAfee Network Security Platform 8.3
Troubleshooting Guide
1
Troubleshooting Sensor issues
McAfee® Network Security Platform is a combination of network appliances and software, built for the
accurate detection and prevention of intrusions and network misuse.
Sensors are high-performance, scalable, and flexible content processing appliances built for the
accurate detection and prevention of intrusions, misuse, malware, denial of service (DoS) attacks, and
distributed denial of service (DDoS) attacks. Sensors can be physical or virtual appliances. Sensors are
specifically designed to handle traffic at wire-speed, efficiently inspect and detect intrusions with a
high degree of accuracy, and flexible enough to adapt to the security needs of any enterprise
environment.
Network Security Platform offers several types of Sensor platforms providing different bandwidth and
deployment strategies.
•
I-series: I-4010, I-4000, I-3000, I-2700, I-1400, and I-1200
•
M-series: M-8000, M-6050, M-4050, M-3050, M-2850, M-2950, M-1450, and M-1250
•
NS-series: NS9100, NS9200, NS9300, NS7100, NS7200, NS7300, NS5100, NS5200, NS3200 and
NS3100.
•
Virtual IPS Sensors: IPS-VM100 and IPS-VM600
This section lists some troubleshooting scenarios, procedures, and checks that can be followed during
a Sensor's Return Merchandize Authorization (RMA) process.
Contents
NS-series Sensors CRUs and FRUs
View diagnostic and system information for NS-series Sensors
Lspci for NS-series Sensors
M-series Sensor replacement for defective I-series Sensors
Check XLRs for M-series Sensors
Sibytes for I-series Sensors
Check for monitoring ports failure
Check for management ports failure
Check for console port failure
Check for Sensor LED or fan failure
Check power supply in the Sensor
Check for flash corruption in the Sensor
Perform flash recovery
Cache and memory errors
Verify passive fail-open connectivity
Tasks suspended on Sibytes
McAfee Network Security Platform 8.3
Troubleshooting Guide
7
1
Troubleshooting Sensor issues
NS-series Sensors CRUs and FRUs
NS-series Sensors CRUs and FRUs
CRUs - Customer Replaceable Units
NS9x00, NS7x00, NS5x00, and NS3x00 series
•
PSUs
•
Fans
•
IO Module Cards (Except NS3x00 & NS5x00)
Manager displays system event message indicating which of the two PSU is bad. (NS3x00 has only 1
power supply which is FRU only.)
The following are the reasons for power supply error message
•
inserted power supply
•
power applied and status is normal
•
removed power from power supply unit
•
issue with the power supply where PSU has failed
•
removed power supply from chassis.
Mar 15 19:28:37 localhost tL: EMER montor|Couldn't determine power supply 1 status!
Mar 15 19:28:37 localhost tL: EMER montor|Power supply 1 st -1 inserted
Mar 15 19:31:41 localhost tL: EMER montor|Power supply 1 st 0 back to okay!
Mar 15 19:33:44 localhost tL: EMER montor|Problem in power supply 1 st -1
Mar 15 19:36:50 localhost tL: EMER montor|Power supply 1 st 10 removed
8
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting Sensor issues
NS-series Sensors CRUs and FRUs
1
Fans
Manager displays a system event message indicating which fan FRU is in bad status. Fan number is
labeled on the system chassis.
The following image shows the system event indicating that the Fan#3 is in bad status.
IO Module Cards (Except NS3x00 and NS5x00)
•
Check to see if the status LED on the IO module card turns green after powering up the system.
LED will be in solid green color after system health reaches good state.
•
For individual interface port troubleshooting, perform the usual swap test. Swap out the IO module
card itself or swap the interface port cable with a known good one. Verify if the problem continues
even after the swap. The aim is to isolate the bad IO module card, transceiver, cable, or a
particular interface port.
FRUs - Field Replaceable Units
•
•
•
NS9x00 series
•
SSDs
•
Orange Beach Cards
NS7x00 series
•
Orange Beach Lite Cards
•
DIMMs
NS5x00 series
•
DIMMs
•
SSD
McAfee Network Security Platform 8.3
Troubleshooting Guide
9
1
Troubleshooting Sensor issues
NS-series Sensors CRUs and FRUs
•
•
Greenlight Card and Riser Assembly
•
Main PCB Assembly
NS3x00 series (All components are FRU only, no CRU)
•
DIMMs
•
Power supply
•
FANs
SSDs (NS9x00)
Sensor CLI indicates which of the 2 SSD is in bad status.
SSD #0 is the top SSD (Labeled 00 or 0 on the SSD cable)
SSD #1 is the bottom SSD (Labeled 01 or 1 on the SSD cable)
Sensor logs also contain the information indicating which SSD is in bad status.
The following Image displays the labels 00 and 01 on the SSD cable.
SSD#1 goes to bad status
Feb 17 19:51:19 localhost tL: EMER montor|in checkRaidStatus: SSD0 good to bad
Feb 17 19:51:19 localhost tL: EMER montor|RAIDREPAIR timer thread started
Feb 17 19:51:19 localhost tL: EMER montor|RAIDREPAIR: Created checkRaidRepairTimer thread
Feb 17 19:51:19 localhost tL: EMER clilog|Primary: RAIDREPAIR status flag:1
Feb 17 19:51:21 localhost tL: EMER montor|RAIDREPAIR: ssd(0) to repair(status:2)
Feb 17 19:51:21 localhost tL: EMER clilog|BAD mdRAID partition:1, ssd:0 failing RAID
partitions 1
Personalities : [linear] [raid0] [raid1] [multipath] [faulty]
md3 : active raid1 sda5[0] sdb5[1]
108002232 blocks super 1.2 [2/2] [UU]
md2 : active raid1 sda3[0] sdb3[1]
10484664 blocks super 1.2 [2/2] [UU]
md1 : active raid1 sda2[0](F) sdb2[1]
15727544 blocks super 1.2 [2/1] [_U]
md0 : active raid1 sda1[0] sdb1[1]
10
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting Sensor issues
NS-series Sensors CRUs and FRUs
1
2096116 blocks super 1.2 [2/2] [UU]
unused devices: <none>
Feb 17 19:51:29 localhost tL: EMER montor|RAIDREPAIR: in progress...(count:10),
ssd:-1,status:2
Feb 17 19:55:59 localhost tL: EMER montor|RAIDREPAIR: in progress...(count:280),
ssd:-1,status:2
Sensor CLI command:
[email protected]> show raid status
SSD 0 STATUS : bad
SSD 1 STATUS : good
SSD 0 has gone bad. RAID repair in progress...
Please attempt the following using 'raidrepair':
1: Repair current SSD 0
2: Replace and repair new SSD 0
[email protected]>
[email protected]> show raid status
SSD 0 STATUS : bad
SSD 1 STATUS : good
SSD 0 has gone bad. RAID repair in progress...
----------------------SSD 0 repair status
----------------------RAID partition md1 status : RECOVERING
[email protected]>
SSD#2 goes to bad status
Feb 18 00:08:15 localhost tL: EMER montor|in checkRaidStatus: SSD1 good to bad
Feb 18 00:08:15 localhost tL: EMER montor|RAIDREPAIR timer thread started
Feb 18 00:08:15 localhost tL: EMER montor|RAIDREPAIR: Created checkRaidRepairTimer thread
Feb 18 00:08:18 localhost tL: EMER montor|RAIDREPAIR: ssd(1) to repair(status:2)
Feb 18 00:08:18 localhost tL: EMER clilog|BAD mdRAID partition:1, ssd:1
failing RAID partitions 1
Personalities : [linear] [raid0] [raid1] [multipath] [faulty]
md3 : active raid1 sda5[0] sdb5[1]
108002232 blocks super 1.2 [2/2] [UU]
md2 : active raid1 sda3[0] sdb3[1]
10484664 blocks super 1.2 [2/2] [UU]
md1 : active raid1 sda2[0] sdb2[1](F)
15727544 blocks super 1.2 [2/1] [U_]
md0 : active raid1 sda1[0] sdb1[1]
2096116 blocks super 1.2 [2/2] [UU]
unused devices: <none>
Feb 18 00:08:25 localhost tL: EMER montor|RAIDREPAIR: in progress...(count:10), ssd:1,status:
2
Feb 18 00:08:35 localhost tL: EMER montor|RAIDREPAIR: in progress...(count:20), ssd:1,status:
2
NS9100-80-93#
Sensor CLI command:
[email protected]> show raid status
SSD 0 STATUS : good
SSD 1 STATUS : bad
SSD 1 has gone bad. RAID repair in progress...
----------------------SSD 1 repair status
----------------------RAID partition md1 status : RECOVERING
[email protected]>
Orange Beach Cards (NS9x00 series only)
There are two ways to determine bad OB cards.
McAfee Network Security Platform 8.3
Troubleshooting Guide
11
1
Troubleshooting Sensor issues
NS-series Sensors CRUs and FRUs
•
Sensor.dbg and sensor.log file.
•
Lspci output.
Sensor.dbg and sensor.log file display errors instead of the following log messages:
Jan 31 21:22:38 localhost
Jan 31 21:22:38 localhost
Jan 31 21:22:38 localhost
….
Jan 31 21:22:38 localhost
Jan 31 21:22:38 localhost
Jan 31 21:22:38 localhost
….
Sensor.dbg showing errors
Feb 18 02:21:12 localhost
Feb 18 02:21:12 localhost
Feb 18 02:21:12 localhost
….
Feb 18 02:21:12 localhost
Feb 18 02:21:12 localhost
Feb 18 02:21:12 localhost
tL: EMER sysctl|*********************
tL: EMER sysctl|NIC cards detected
tL: EMER sysctl|*********************
tL: EMER sysctl|*********************
tL: EMER sysctl|Crypto Chips detected
tL: EMER sysctl|*********************
when NIC
tL: EMER
tL: EMER
tL: EMER
cards and Crypto chips are not detected as expected
sysctl|*********************
sysctl|16 NIC CARDS NOT DETECTED
sysctl|*********************
tL: EMER sysctl|*********************
tL: EMER sysctl|4 Crypto Chips NOT DETECTED
tL: EMER sysctl|*********************
Lspci output for NIC devices
Run lspci command from the system bash shell.
KR-9100# lspci | grep PLX
0a:00.0 PCI bridge: PLX Technology,
0b:00.0 PCI bridge: PLX Technology,
0b:01.0 PCI bridge: PLX Technology,
0b:08.0 PCI bridge: PLX Technology,
42:00.0 PCI bridge: PLX Technology,
43:00.0 PCI bridge: PLX Technology,
43:01.0 PCI bridge: PLX Technology,
43:08.0 PCI bridge: PLX Technology,
82:00.0 PCI bridge: PLX Technology,
83:00.0 PCI bridge: PLX Technology,
83:01.0 PCI bridge: PLX Technology,
83:08.0 PCI bridge: PLX Technology,
c2:00.0 PCI bridge: PLX Technology,
c3:00.0 PCI bridge: PLX Technology,
c3:01.0 PCI bridge: PLX Technology,
c3:08.0 PCI bridge: PLX Technology,
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
Above is the normal system output. If any group of 4 lines are missing, then it indicates that the NIC
part of the OB card has failed. Each group of 4 lines represent the OB card on each of the 4 Xeon CPUs
in the system. For example, if the third group of 4 lines are missing, replace the OB card on the third
Xeon CPU PCIe slot.
It is possible for just one line to be missing from the 4 line groups. In such a case, the entire OB card
has to be replaced since each OB card represents 4 line group.
SSD#2 goes to bad status
Feb 18 00:08:15 localhost tL: EMER montor|in checkRaidStatus: SSD1 good to bad
Feb 18 00:08:15 localhost tL: EMER montor|RAIDREPAIR timer thread started
Feb 18 00:08:15 localhost tL: EMER montor|RAIDREPAIR: Created checkRaidRepairTimer thread
Feb 18 00:08:18 localhost tL: EMER montor|RAIDREPAIR: ssd(1) to repair(status:2)
Feb 18 00:08:18 localhost tL: EMER clilog|BAD mdRAID partition:1, ssd:1
failing RAID partitions 1
Personalities : [linear] [raid0] [raid1] [multipath] [faulty]
md3 : active raid1 sda5[0] sdb5[1]
108002232 blocks super 1.2 [2/2] [UU]
md2 : active raid1 sda3[0] sdb3[1]
12
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting Sensor issues
NS-series Sensors CRUs and FRUs
1
10484664 blocks super 1.2 [2/2] [UU]
md1 : active raid1 sda2[0] sdb2[1](F)
15727544 blocks super 1.2 [2/1] [U_]
md0 : active raid1 sda1[0] sdb1[1]
2096116 blocks super 1.2 [2/2] [UU]
unused devices: <none>
Feb 18 00:08:25 localhost tL: EMER montor|RAIDREPAIR: in progress...(count:10), ssd:1,status:
2
Feb 18 00:08:35 localhost tL: EMER montor|RAIDREPAIR: in progress...(count:20), ssd:1,status:
2
NS9100-80-93#
Sensor CLI command:
[email protected]> show raid status
SSD 0 STATUS : good
SSD 1 STATUS : bad
SSD 1 has gone bad. RAID repair in progress...
----------------------SSD 1 repair status
----------------------RAID partition md1 status : RECOVERING
[email protected]>
Orange Beach Cards (NS9x00 series only)
There are two ways to determine bad OB cards.
•
Sensor.dbg and sensor.log file.
•
Lspci output.
Sensor.dbg and sensor.log file display errors instead of the following log messages:
Jan 31 21:22:38 localhost
Jan 31 21:22:38 localhost
Jan 31 21:22:38 localhost
….
Jan 31 21:22:38 localhost
Jan 31 21:22:38 localhost
Jan 31 21:22:38 localhost
….
Sensor.dbg showing errors
Feb 18 02:21:12 localhost
Feb 18 02:21:12 localhost
Feb 18 02:21:12 localhost
….
Feb 18 02:21:12 localhost
Feb 18 02:21:12 localhost
Feb 18 02:21:12 localhost
tL: EMER sysctl|*********************
tL: EMER sysctl|NIC cards detected
tL: EMER sysctl|*********************
tL: EMER sysctl|*********************
tL: EMER sysctl|Crypto Chips detected
tL: EMER sysctl|*********************
when NIC
tL: EMER
tL: EMER
tL: EMER
cards and Crypto chips are not detected as expected
sysctl|*********************
sysctl|16 NIC CARDS NOT DETECTED
sysctl|*********************
tL: EMER sysctl|*********************
tL: EMER sysctl|4 Crypto Chips NOT DETECTED
tL: EMER sysctl|*********************
Lspci output for NIC devices
Run lspci command from the system bash shell.
KR-9100# lspci | grep PLX
0a:00.0 PCI bridge: PLX Technology,
0b:00.0 PCI bridge: PLX Technology,
0b:01.0 PCI bridge: PLX Technology,
0b:08.0 PCI bridge: PLX Technology,
42:00.0 PCI bridge: PLX Technology,
43:00.0 PCI bridge: PLX Technology,
43:01.0 PCI bridge: PLX Technology,
43:08.0 PCI bridge: PLX Technology,
82:00.0 PCI bridge: PLX Technology,
83:00.0 PCI bridge: PLX Technology,
83:01.0 PCI bridge: PLX Technology,
McAfee Network Security Platform 8.3
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
Troubleshooting Guide
13
1
Troubleshooting Sensor issues
NS-series Sensors CRUs and FRUs
83:08.0
c2:00.0
c3:00.0
c3:01.0
c3:08.0
PCI
PCI
PCI
PCI
PCI
bridge:
bridge:
bridge:
bridge:
bridge:
PLX
PLX
PLX
PLX
PLX
Technology,
Technology,
Technology,
Technology,
Technology,
Inc.
Inc.
Inc.
Inc.
Inc.
Device
Device
Device
Device
Device
8724
8724
8724
8724
8724
(rev
(rev
(rev
(rev
(rev
ba)
ba)
ba)
ba)
ba)
Above is the normal system output. If any group of 4 lines are missing, then it indicates that the NIC
part of the OB card has failed. Each group of 4 lines represent the OB card on each of the 4 Xeon CPUs
in the system. For example, if the third group of 4 lines are missing, replace the OB card on the third
Xeon CPU PCIe slot.
It is possible for just one line to be missing from the 4 line groups. In such a case, the entire OB card
has to be replaced since each OB card represents 4 line group.
Lspci output for crypto devices
Sample output
KR-9100# lspci | grep
09:00.0 Co-processor:
49:00.0 Co-processor:
81:00.0 Co-processor:
c1:00.0 Co-processor:
434
Intel
Intel
Intel
Intel
Corporation
Corporation
Corporation
Corporation
Device
Device
Device
Device
0434
0434
0434
0434
(rev
(rev
(rev
(rev
21)
21)
21)
21)
Above is the normal system output. If any one line is missing in the output, then it indicates that the
crypto device on the OB card has failed. Each line represent the OB card on each of the 4 CPUs in the
system. For example, if the second line is missing, then the OB card on the second Xeon CPU PCIe slot
has to be replaced.
Orange Beach Lite Cards (NS7x00 series only)
On NS7x00 series Sensors, OB Lite cards are used instead of OB cards.
NS7x00 series Sensors have 1 or 2 OB Lite cards installed compared to NS9x00 series Sensors that
have 4 OB cards installed. The debug method is identical to that of OB Cards in NS9x00 series
Sensors.
Number of OB Lite cards installed on NS7x00 series Sensor.
NS7300 and NS7200 - 2 OB Lite cards.
NS7100 - 1 OB Lite card.
Greenlight Card and Riser Assembly (NS5x00 series only)
If there is an error with this card, the Sensor reboots and does not come back to working condition. To
debug, it is required to have console access to capture the output.
Sensor.dbg and sensor.log file will displays errors instead of the following informational messages:
Success, 4 NIC cards detected
Jan 31 21:22:38 localhost tL: EMER sysctl|*********************
Jan 31 21:22:38 localhost tL: EMER sysctl|NIC cards detected
Jan 31 21:22:38 localhost tL: EMER sysctl|*********************
….
Success, 2 Crypto Chips (C1) detected
Jan 31 21:22:38 localhost tL: EMER sysctl|*********************
Jan 31 21:22:38 localhost tL: EMER sysctl|Crypto Chips detected
Jan 31 21:22:38 localhost tL: EMER sysctl|*********************
Example of Error Output in log:
Mar 6 22:45:28 localhost tL: EMER sysctl|chkCaveCreekVersionAndCount: *** ERROR *** NOT ALL
CAVE CREEK CO-PROCESSORS DETECTED, EXPECTED 2 , AVAILABLE 1
14
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting Sensor issues
NS-series Sensors CRUs and FRUs
1
….
Error, 4 NIC cards not detected
Mar 6 22:45:28 localhost tL: EMER sysctl|*********************
Mar 6 22:45:28 localhost tL: EMER sysctl| NIC CARDS NOT DETECTED
Mar 6 22:45:28 localhost tL: EMER sysctl|*********************
….
Error, 2 Crypto Chips not detected
Feb 18 02:21:12 localhost tL: EMER sysctl|*********************
Mar 6 22:45:28 localhost tL: EMER sysctl| Crypto Chips NOT DETECTED
Feb 18 02:21:12 localhost tL: EMER sysctl|*********************
Lspci output for NIC devices.
Run lspci command from the system bash shell.
NS7200-82-185# lspci | grep Backplane
05:00.0 Ethernet controller: Intel Corporation
Connection (rev 01)
05:00.1 Ethernet controller: Intel Corporation
Connection (rev 01)
83:00.0 Ethernet controller: Intel Corporation
Connection (rev 01)
83:00.1 Ethernet controller: Intel Corporation
Connection (rev 01)
82599EB 10 Gigabit Dual Port Backplane
82599EB 10 Gigabit Dual Port Backplane
82599EB 10 Gigabit Dual Port Backplane
82599EB 10 Gigabit Dual Port Backplane
Above is the normal system output. If any group of two lines are missing, then it indicates that the
NIC part of the OB Lite card has failed. Each group of two lines represent the OB Lite card on each of
the 2 Xeon CPUs in the system. For example, if the second group of two lines are missing, then
replace the OB Lite card on the second Xeon CPU PCIe slot.
It is possible for just one line to be missing from the two line groups. In such a case, the entire OB
Lite card has to be replaced since each OB Lite card represents both lines in the two line group.
Lspci output for crypto devices
NS7200-82-185# lspci | grep 434
07:00.0 Co-processor: Intel Corporation Device 0434 (rev 21)
82:00.0 Co-processor: Intel Corporation Device 0434 (rev 21)
Above is the normal system output. If any one line is missing, then it indicates that the crypto device
in the OB Lite card has failed. Each line represent the OB Lite card on each of the 2 CPUs in the
system. For example, if the second line is missing, then the OB Lite card on the second Xeon CPU PCIe
slot has to be replaced.
DIMMs
DIMM errors are identified by the following error messages in the /var/log/messages file.
Same messages show up on the system console output as well.
Jan 21 12:15:01 localhost klogd: [ 749.407598] [Hardware Error]: Run the message through
'mcelog --ascii' to decode.
Jan 21 12:15:01 localhost klogd: [ 749.416032] [Hardware Error]: No human readable MCE
decoding support on this CPU type.
To pin point which DIMM is bad, go into the system BIOS menu and check DIMM status under the
memory configuration page.
McAfee Network Security Platform 8.3
Troubleshooting Guide
15
1
Troubleshooting Sensor issues
View diagnostic and system information for NS-series Sensors
View diagnostic and system information for NS-series Sensors
You can do a diagnosis of the hardware information. To do so, perform the following steps:
Get into private mode and type diagnostics.
To exit the diagnostics mode, type disable.
To view diagnostic and system information, run the command run diag_show_system_info.
Syntax:
run diag_show_system_info
Sample output
Rubicon Diagnostics Build Date: Aug 30 2013 14:24:26
BMC version = 1.15, IPMI v2.0
BIOS Version = SE5C600.86B.01.07.0002.030620132047
Linux version 2.6.38 ([email protected]) (gcc version 4.5.2 (Ubuntu/Linaro
4.5.2-8ubuntu4) ) #1 SMP Thu Apr 18 17:21:37 PDT 2013
Bootloader Version: GRUB 2.0 - Development
sysType = 0x6A, failover = 0x00
Group 0: 0x28 - 2-QSFP On-board Controller ; FPGA version 05; Working image
Group 1: 0x2D - 6-1GBE Module Controller ; FPGA version 02; Working image
Group 2: 0x2D - 6-1GBE Module Controller ; FPGA version 02; Working image
Group 3: 0x28 - 8-1GBE On-board Controller ; FPGA version 05; Working image
CPLD Device ID: 0x26; Version: 0x01; Revision: 0x03
Reset Register : 0x7F
0x40: QSFP6_RST_L
0x20: QSFP5_RST_L
0x10: BCM84740B_L
0x08: BCM84740A_L
0x40: BCM54980_RST_L_1
0x02: BCM56440_RST_L
0x01: BCM56840_RST_L
Reset Register slot : 0xFFFFFFFF
0x80: SLOT2_QSFP_RST_L
0x40: SLOT2_FPGA_RST_L
0x20: SLOT2_PHY_B_RST_L
0x10: SLOT2_PHY_A_RST_L
0x08: SLOT1_QSFP_RST_L
0x04: SLOT1_FPGA_RST_L
0x02: SLOT1_PHY_B_RST_L
0x01: SLOT1_PHY_A_RST_L
Trident and Katana Core Voltage : 0xFFFFFFF5
0x04: BCM56440_1V_VCR_0
0x01: BCM56840_1V_VCR_0
Status : 0xFFFFFFBD
PHY enable : 0xFFFFFFBD
0x01: BCM54980_SUPER_ISOLATE
Scratch pad : 0x00
show current LED setting
show_led - Work in progess!
BB CPU0 VTT Temp temperature = 39.00 C
BB CPU2 Temp temperature = 33.00 C
OB-CPU 2 Temp temperature = 43.00 C
OB-CPU 3 Temp temperature = 43.00 C
BB CPU0 Temp temperature = 50.00 C
Front Panel Temp temperature = 30.00 C
SSB Temp temperature = 53.00 C
BB BMC Temp temperature = 50.00 C
BB CPU1 VTT Temp temperature = 39.00 C
BB CPU1 Temp temperature = 50.00 C
OB-CPU 0 Temp temperature = 41.00 C
OB-CPU 1 Temp temperature = 41.00 C
Exit Air Temp temperature = 54.00 C
LAN NIC Temp temperature = 62.00 C
16
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting Sensor issues
View diagnostic and system information for NS-series Sensors
1
PS1 Temperature temperature = 32.00 C
PS2 Temperature temperature = 0.00 C
BB CPU3 Temp temperature = 35.00 C
Module in group 1 slot temperature = 29.500 C
Module in group 2 slot temperature = 30.125 C
Front Panel Temp system temperature = 30.00 C
System Fan 1A PRESENT speed = 15810 RPM
System Fan 1B PRESENT speed = 15300 RPM
System Fan 2A PRESENT speed = 15810 RPM
System Fan 2B PRESENT speed = 15300 RPM
System Fan 3A PRESENT speed = 15810 RPM
System Fan 3B PRESENT speed = 15240 RPM
System Fan 4A PRESENT speed = 15810 RPM
System Fan 4B PRESENT speed = 15300 RPM
System Fan 5A PRESENT speed = 15810 RPM
System Fan 5B PRESENT speed = 15300 RPM
System Fan 6A PRESENT speed = 9734 RPM
System Fan 6B PRESENT speed = 9360 RPM
System Fan 7A PRESENT speed = 9796 RPM
System Fan 7B PRESENT speed = 9300 RPM
System Fan 8A PRESENT speed = 15810 RPM
System Fan 8B PRESENT speed = 15300 RPM
System Fan 9A PRESENT speed = 15810 RPM
System Fan 9B PRESENT speed = 15300 RPM
System Fan 10A PRESENT speed = 15810 RPM
System Fan 10B PRESENT speed = 15300 RPM
System Fan 11A PRESENT speed = 15810 RPM
System Fan 11B PRESENT speed = 15300 RPM
Power Supply (A) PRESENT health = OK
Power Supply (B) ABSENT health = N/A
Power Supply (A) status_for_nsm = OK
Power Supply (B) status_for_nsm = ERROR
DIAGNOSTIC PASSED!
The run should be successful with no errors seen. The temperature and fan speed should be within
range.
Power supply health should either be OK or N/A. Diagnostic result should display as DIAGNOSTIC
PASSED!.
If any other value exits, it indicates that an issue exists. run run diag_pld_test
Sample output
diagnostics# run diag_pld_test
Run PLD test
CPLD Device ID: 0x26; Version: 0x01; Revision: 0x03
Reset Register : 0x7F
0x40: QSFP6_RST_L
0x20: QSFP5_RST_L
0x10: BCM84740B_L
0x08: BCM84740A_L
0x40: BCM54980_RST_L_1
0x02: BCM56440_RST_L
0x01: BCM56840_RST_L
Reset Register slot : 0xFFFFFFFF
0x80: SLOT2_QSFP_RST_L
0x40: SLOT2_FPGA_RST_L
0x20: SLOT2_PHY_B_RST_L
0x10: SLOT2_PHY_A_RST_L
0x08: SLOT1_QSFP_RST_L
0x04: SLOT1_FPGA_RST_L
0x02: SLOT1_PHY_B_RST_L
0x01: SLOT1_PHY_A_RST_L
Trident and Katana Core Voltage : 0xFFFFFFF5
0x04: BCM56440_1V_VCR_0
0x01: BCM56840_1V_VCR_0
Status : 0xFFFFFFBD
PHY enable : 0xFFFFFFBD
McAfee Network Security Platform 8.3
Troubleshooting Guide
17
1
Troubleshooting Sensor issues
Lspci for NS-series Sensors
0x01: BCM54980_SUPER_ISOLATE
Scratch pad : 0x00
DIAGNOSTIC PASSED!
If the diagnostic result is not passed and error messages are present then it indicates that a problem
exists in the CPLD device.
Lspci for NS-series Sensors
Commands in Linux bash shell mode
lspci | grep 434
Sample output
KR-9100# lspci | grep 434
09:00.0 Co-processor: Intel
49:00.0 Co-processor: Intel
81:00.0 Co-processor: Intel
c1:00.0 Co-processor: Intel
If there are not 4 lines in
and has a problem
Corporation
Corporation
Corporation
Corporation
the output,
Device 0434
Device 0434
Device 0434
Device 0434
then one of
(rev 21)
(rev 21)
(rev 21)
(rev 21)
the niantic processor has not come up
lspci | grep PLX
Sample output
KR-9100# lspci | grep PLX
0a:00.0 PCI bridge: PLX Technology,
0b:00.0 PCI bridge: PLX Technology,
0b:01.0 PCI bridge: PLX Technology,
0b:08.0 PCI bridge: PLX Technology,
42:00.0 PCI bridge: PLX Technology,
43:00.0 PCI bridge: PLX Technology,
43:01.0 PCI bridge: PLX Technology,
43:08.0 PCI bridge: PLX Technology,
82:00.0 PCI bridge: PLX Technology,
83:00.0 PCI bridge: PLX Technology,
83:01.0 PCI bridge: PLX Technology,
83:08.0 PCI bridge: PLX Technology,
c2:00.0 PCI bridge: PLX Technology,
c3:00.0 PCI bridge: PLX Technology,
c3:01.0 PCI bridge: PLX Technology,
c3:08.0 PCI bridge: PLX Technology,
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Inc.
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
Device
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
8724
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
(rev
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
ba)
If there are not 16 lines in the output, then it indicates that a problem exists in one of the PLX device.
M-series Sensor replacement for defective I-series Sensors
As I-series Sensors are moving towards end of life, these Sensors are no longer kept in the inventory.
If a particular I-Series Sensor is not in the inventory, a replacement M-Series Sensor should be sent to
the customer. Below is matrix of the list of M-series Sensor models that should sent as a replacement
for I-Series Sensor models.
18
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting Sensor issues
Check XLRs for M-series Sensors
I-series Sensor
Replacement M-series Sensor
Model
SKU
Model
SKU
I-1200
ICV-S12C-NA-100
M-1250
IAP-M13K-ISA
I-1200-FO
ITV-F12C-NA-100
M-1250-FO
IFO-M13K-ISA
I-1400
ICV-S14C-NA-100
M-1450
IAP-M15K-ISA
I-1400-FO
ITV-F14C-NA-100
M-1450-FO
IFO-M15K-ISA
I-2700
ICV-S27C-NA-100
M-2750/M-2850
IAP-M25K-ISA/IAP-M28K-ISA
I-2700-FO
ITV-F27C-NA-100
M-2750-FO/M-2850-FO
IFO-M25K-ISA/IFO-M28K-ISA
I-3000
ICV-S03K-NA-100
M-3050
IAP-M35K-ISA
I-3000-FO
ITV-F03K-NA-100
M-3050-FO
IFO-M35K-ISA
I-4000
ICV-S04K-NA-100
M-4050
IAP-M45K-ISA
I-4000-FO
ITV-F04K-NA-100
M-4050-FO
IFO-M45K-ISA
I-4010
ICV-S41K-NA-100
M-4050
IAP-M45K-ISA
I-4010-FO
ITV-F41K-NA-100
M-4050-FO
IFO-M45K-ISA
1
Check XLRs for M-series Sensors
Symptoms:
Sensor reboots continuously or fails to update.
Errors seen:
The following error is seen in sensor.log
Dec 18 18:32:28 localhost tL: EMER
sysctl|!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Dec 18 18:32:28 localhost tL: EMER sysctl|palomarClusterRebootCheck(B:32 C:0 D:32 E:32/32)
Dec 18 18:32:28 localhost tL: EMER
sysctl|!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:
Dec 18 18:36:30 localhost tL: EMER sysctl|***********************
Dec 18 18:36:30 localhost tL: EMER sysctl|SYSTEM INIT CHECK BEGIN
Dec 18 18:36:30 localhost tL: EMER sysctl|SYSTEM INIT CHECK AFTER 360 secs
Dec 18 18:36:30 localhost tL: EMER sysctl|SYSTEM INIT CHECK STATUS 98/130
Dec 18 18:36:30 localhost tL: EMER sysctl|!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Dec 18 18:36:30 localhost tL: EMER sysctl|SYSTEM INIT CHECK FAILED: INCOMPLETE INIT STATE
Dec 18 18:36:30 localhost tL: EMER sysctl|!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Dec 18 18:36:30 localhost tL: EMER sysctl|SYSTEM INIT CHECK WATCHDOG 1
Dec 18 18:36:30 localhost tL: EMER sysctl|manual Sensor reboot required, reboot count = 5
Dec 18 18:36:30 localhost tL: EMER sysctl|SYSTEM INIT CHECK END
Ideally the value of XLRs should all be 32. In the above example XLRC is 0. In any use case either could
be zero.
Troubleshooting Steps:
Power cycle (not reboot) the Sensor in order to initialize the XLRs. Even after power cycle if the same
errors are seen as above, it signifies that the XLR is dead and RMA needs to be performed for the
Sensor.
McAfee Network Security Platform 8.3
Troubleshooting Guide
19
1
Troubleshooting Sensor issues
Sibytes for I-series Sensors
Sibytes for I-series Sensors
Symptoms
Sensor reboots continuously or fails to take an update.
Errors seen
The following error is seen in sensor.log.
Aug
Aug
Aug
Aug
Aug
Aug
Aug
17
17
17
17
17
17
17
17:55:00
17:55:00
17:55:00
17:55:00
17:55:00
17:55:00
17:55:00
2009
2009
2009
2009
2009
2009
2009
tL:
tL:
tL:
tL:
tL:
tL:
tL:
EMER
EMER
EMER
EMER
EMER
EMER
EMER
sysctl|init check got 7, expected 9
sysctl|!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
sysctl|Sensor detects incomplete init procedure
sysctl|!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
sysctl|reboot flag 1
sysctl|Sensor self rebooting
montor|SysController : Incremen
Troubleshooting steps
1
Telnet Sibytes 127.4.x.1, where x could vary from 1 to 8 depending on the Sensor model.
2
Power cycle (not reboot) the Sensor in order to initialize the Sibytes.
3
After the power cycle if the same errors exists as above, it signifies that the Sibytes are dead and
the RMA has to be performed for the Sensor.
Check for monitoring ports failure
When there is a failure in a monitoring port, perform the following checks:
Task
1
Check for faulty cables and replace with known good ones.
2
If GBICS/SFP/XFPs are used, verify whether these are McAfee certified.
3
Check speed/duplex settings through the Sensor CLI and ensure that they match those on the
switch and the end device to which it is connected.
4
Check for CRC errors on the interface ports. If CRC errors are incrementing then they may be
causing the link/port failure.
5
Verify with other working monitoring ports on the Sensor, if available.
Check for management ports failure
When there is a failure in a monitoring port, perform the following checks:
Task
20
1
Check for faulty cables and replace with known good ones.
2
Check the speed/duplex settings through the Sensor CLI and ensure that they match those on the
switch and the end device to which it is connected.
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting Sensor issues
Check for console port failure
3
Check the monitoring speed using nobrk1n in shell mode.
4
Check LED status if it is on or off.
1
Check for console port failure
If there is no output on the console, perform the following steps:
Task
1
Connect the console port of the Sensor to a Windows PC using a known good console cable and
open hyper terminal window with the settings as shown below:
Table 1-1 Hyper terminal window settings
I-series
M-series
NS-series
Bits per second
9600
38400
115200
Data Bits
8
8
8
Parity
None
None
None
Stop Bits
1
1
1
Flow control
None
None
None
2
If a blank screen is displayed, use null mode cable and connect it to the AUX port of the Sensor.
3
RMA the Sensor if the blank screen is still displayed.
Check for Sensor LED or fan failure
To check the failure in the Sensor LEDs and fan, perform the following checks:
Task
1
If the LED on the Sensor's front panel is not turned on when it should have been, check if it is
physically there by shining a light into the enclosure.
2
If the LED is present, check the Manager for errors e.g. temperature warning, fan error etc. and
rectify the error accordingly
3
If there are no errors, then the LED could be faulty. RMA the Sensor on customer desecration.
4
If the fan status LED is off or in displays in amber color , physically check the fan and verify if it is
running or not.
5
If fan is not running, then RMA the Sensor.
a
Some Sensors have fans which are field replaceable. In that case, verify that the fan slot is
running by placing a replacement (or a working) fan module into the bay.
b
If the fan still does not run, RMA the Sensor. If the fan runs, then RMA the faulty fan module.
Below is the SKU associated to the list of Sensors for which the fan module is field replaceable.
McAfee Network Security Platform 8.3
Troubleshooting Guide
21
1
Troubleshooting Sensor issues
Check power supply in the Sensor
Table 1-2
Model
SKU
M-2750
IAC-N450-FAN
M-2850
IAC-N450-FAN
M-2950
IAC-N450-FAN
M-3030
M-3050
IAC-MSER-FAN
M-4030
IAC-MSER-FAN
M-4050
IAC-MSER-FAN
M-6030
IAC-MSER-FAN
M-6050
IAC-MSER-FAN
M-8000
IAC-MSER-FAN
N-450
IAC-N450-FAN
N-550
IAC-N450-FAN
NS3100
IPS-NS3100
NS3200
IPS-NS3200
NS5100
IPS-NS5100
NS5200
IPS-NS5200
NS7100
IPS-NS7100
NS7200
IPS-NS7200
NS7300
IPS-NS7300
NS9100
IPS-NS9100
NS9200
IPS-NS9200
NS9300
IPS-NS9300
Check power supply in the Sensor
Perform the following checks which are applicable to dual power supply Sensor models:
•
I-series: I-2700, I-3000, I-4000 and I-4010
•
M-series: All except M-1250 and M-1450
•
All NS-series Sensors
Task
22
1
If the Sensor does not power on, replace the power supply with a known good spare power supply.
2
In case there are dual power supplies and LED for a power supply turns from amber to green or
turns off completely check the dashboard for error messages. If the power supply error is seen,
replace the faulty power supply with a known good power supply.
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting Sensor issues
Check for flash corruption in the Sensor
3
1
In case any of the following Sensors do not power up using a single power supply unit, then RMA
the Sensor:
•
I-1200
•
I-1400
•
I-2600
Check for flash corruption in the Sensor
Go through the process given below to check for flash corruption in the Sensor.
Figure 1-1 Flash Corruption
Perform flash recovery
Perform the following steps to do flash recovery:
McAfee Network Security Platform 8.3
Troubleshooting Guide
23
1
Troubleshooting Sensor issues
Cache and memory errors
Task
1
Download the netboot procedure to recover flash.
You can find the netboot instructions available at https://menshen1.intruvert.com/image/, and
browse through the model number.
2
If internal recovery fails then use external flash recovery (see KB50046).
3
In case recovery from netboot fails, use the external recovery flash card to recover the Sensor. See
KB50046 to recover Sensor from external flash card.
4
If the external flash recovery also fails, then do an RMA.
Cache and memory errors
If the CLI prompt does not appear after reboot, perform the necessary checks if the following
messages are displayed.
Error
Action required
cp0_cerr_d == 840011a0 NO CAUSE, multi-err external
RMA can be performed
for the Sensor.
During boot-up if the following message is seen on the console:
Firstly, perform a
netboot. If the netboot
fails, RMA can be
performed for the Sensor.
Error: Unable to locate a working CMD and/or SLV_CMD strobe
configuration for the Type esc key to enter board setup
----- Configuring DRAM Channel 0 ----During boot-up if the following message is seen on the console:
Err - no DIMMs found.
RMA can be performed
for the Sensor
Verify passive fail-open connectivity
The following are the checks that can be performed to verify fail-open connectivity.
Task
24
1
Verify the Sensor connectivity with peer devices.
2
Verify the fail-open kit connectivity with known good cables to Sensor and peer device.
3
If with fail-open kit connectivity is not available for gigabit fail open kit verify the Tx and Rx side of
the cables by checking for a red light (for Tx cable), and no light for (Rx cable). If different then
swap on one side only.
4
If the connectivity is not available, change the fail-open kit including the controller card with spare
known good units.
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting Sensor issues
Tasks suspended on Sibytes
1
Tasks suspended on Sibytes
Symptoms
Sensor reboots on its own.
Errors seen
The following error (or similar error) is seen in sensor.log.
Aug
Aug
Aug
Aug
26
26
26
26
13:26:28
13:26:31
13:26:31
13:26:31
2012
2012
2012
2012
tL:
tL:
tL:
tL:
EMER
EMER
EMER
EMER
montsk 127.4.3.1 00172|TaskName(tPptTask) suspended...
montor|SiByte 127.4.3.1 has a suspended task for 1 ticks!
montor|Problem detected in a SiByte!
montor|systemReboot(): 0, 0
Troubleshooting steps
1
Login to the Sensor using nobrk1n and then telnet into the sibytes.
2
Telnet 127.4.x.1, where x=1 to 8 depending on Sensor model.
3
Run the check_sibyte_errors command:
The output should display as shown below:
0x00100208D0: 0000-0000-81D8-3000BUSERR Bus Err Status Register
BUSERR Bus Err Status Register Bit Interpretation:
initiator: 0x0, cause: 0x30, responder:0x6, error_code:0x7, Multi Error:0x0
0x00100208C0: 0000-0000-0000-FF00:L2 ECC Counter Register
0x00100208C8: 0000-0000-0000-FF1B:Memory & I/O Error Counter Register
address map: 0x100208d0 -> 0xb00208d0, 0x100208c0 -> 0xb00208c0, 0x100208c8 -> 0xb00208c8
value = 90 = 0x5a = 'Z'
Below are the cases for performing RMA:
error_code == 0x6
error_code==0x7
Bits 8 to 15 of register 0x100208C0 (L2 ECC Counter Register:) is non-zero.
Bits 24 to 31 of register 0x100208C0 (L2 ECC Counter Register:) is non-zero.
Bits 8 to 15 of register 0x100208C8 ("Memory & I/O Error Counter Register:) is non-zero
The bit 0 is on the right and you need to move to the left to check other bits.
McAfee Network Security Platform 8.3
Troubleshooting Guide
25
1
Troubleshooting Sensor issues
Tasks suspended on Sibytes
26
McAfee Network Security Platform 8.3
Troubleshooting Guide
2
Performance issues
Most performance issues are related to switch port configuration, duplex mismatches, link up/down
situations, and data link errors.
Contents
Sniffer trace
Data link errors
Sniffer trace
A Sniffer details packet transfer, and thus a Sniffer trace analysis can help pinpoint switch and McAfee®
Network Security Platform performance or connectivity issues when the issues persist after you have
exhausted the other suggestions in this document. Sniffer trace analysis reveals every packet on the
wire and pinpoints the exact problem.
Note that it may be important to obtain several Sniffer traces from different ports on different
switches, and that it is useful to monitor ("span") ports rather than spanning VLANs when
troubleshooting switch connectivity issues.
Data link errors
Many performance issues may be related to data link errors. Excessive errors usually indicate a
problem. For more information, see also Configuration of Speed and Duplex settings.
Half-duplex setting
When operating with a duplex setting of half-duplex, some data link errors such as FCS, alignment,
runts, and collisions are normal. Generally, a one percent ratio of errors to total traffic is acceptable
for half-duplex connections. If the ratio of errors to input packets is greater than two or three percent,
performance degradation may be noticeable.
In half-duplex environments, it is possible for both the switch and the connected device to sense the
wire and transmit at exactly the same time, resulting in a collision. Collisions can cause runts, FCS,
and alignment errors, which are caused when the frame is not completely copied to the wire, resulting
in fragmented frames.
Full-duplex setting
When operating at full-duplex, FCS, cyclic redundancy checks (CRC), alignment errors, and runt
counters should be minimal. If the link is operating at full-duplex, the collision counter is not active. If
the FCS, CRC, alignment, or runt counters are incrementing, check for a duplex mismatch. Duplex
mismatch is a situation in which the switch is operating at full-duplex and the connected device is
McAfee Network Security Platform 8.3
Troubleshooting Guide
27
2
Performance issues
Data link errors
operating at half-duplex, or vice versa. The result of a duplex mismatch is extremely slow
performance, intermittent connectivity, and loss of connection. Other possible causes of data link
errors at full-duplex are bad cables, a faulty switch port, or software or hardware issues.
28
McAfee Network Security Platform 8.3
Troubleshooting Guide
3
Determine false positives
This section lists methods for determining and reducing false positives.
Contents
Reduce false positives
Tune your policies
Reduce false positives
Your policy determines what traffic analysis your McAfee® Network Security Sensor (Sensor) will
perform. McAfee® Network Security Platform provides a number of policy templates to get you started
toward your ultimate goal: prevent attacks from damaging your network, and limit the alerts displayed
in the Attack Log page to those which are valid and useful for your analysis.
There are two stages to this process: initial policy configuration and policy tuning.Though these are
tedious tasks, McAfee has extended its blocking options to include SmartBlocking, which only activates
blocking when high confidence signatures are matched, thus minimizing the possibility of false
positives.Network Security Platform is replacing its present Recommended for Blocking (RFB)
designation with Recommended for SmartBlocking (RFSB) because this new level of granularity
enables McAfee to recommend many more attacks – the list of RFB attacks is a subset of the list of
RFSB attacks.
The ultimate goal of policy tuning is to eliminate false positives and noise and avoid overwhelming
quantities of legitimate, but anticipated alerts.
Tune your policies
The default McAfee Network Security Platform policy templates are provided as a generic starting
point; you will want to customize one of these policies for your needs. So the first step in tuning is to
clone the most appropriate policy for your network and your goals, and then customize it. (You can
also modify a policy directly rather than modifying a copy.)
Some things to remember when tuning your policies:
•
We ask that you set your expectations appropriately regarding the elimination of false positives and
noise. A proper Network Security Platform implementation includes multiple tuning phases. False
positives and excess noise are routine for the first 3 to 4 weeks. Once properly tuned, however,
they can be reduced to a rare occurrence.
•
When initially deployed, Network Security Platform frequently exposes unexpected conditions in the
existing network and application configuration. What may at first seem like a false positive might
actually be the manifestation of a misconfigured router or Web application, for example.
McAfee Network Security Platform 8.3
Troubleshooting Guide
29
3
Determine false positives
Tune your policies
•
Before you begin, be aware of the network topology and the hosts in your network, so you can
enable the policy to detect the correct set of attacks for your environment.
•
Take steps to reduce false positives and noise from the start. If you allow a large number of "noisy"
alerts to continue to sound on a very busy network, parsing and pruning the database can quickly
become cumbersome tasks. It is preferable to all parties involved to put energy into preventing
false positives than into working around them. Exception objects are also an option where you can
have custom rule sets specific to his environment. You can disable all alerts that are obviously not
applicable to the hosts that you protect. For example, if you use only Apache Web servers, you can
disable IIS-related attacks.
False positives and noise
The mere mention of false positives always causes concern in the mind of any security analyst.
However, false positives may mean quite differently things to different people. In order to better
manage the security risks using any IDS/IPS devices, it's very important to understand the exact
meanings of different types of alerts so that appropriate response can be applied.
With Network Security Platform, there are three types of alerts which are often taken as "false
positives:"
•
incorrectly identified events
•
correctly identified events subject to interpretation by usage policy
•
correctly identified events uninteresting to the user.
Incorrect identification
These alerts typically result from overly aggressive signature design, special characteristics of the user
environment, or system bugs. For example, typical users will never use nested file folders with a path
more than 256 characters long; however, a particular user may push the Windows' free-style naming
to the extreme and create files with path names more than 1024 characters. Issues in this category
are rare. They can be fixed by signature modifications or software bug fixes.
Correct identification — significance subject to usage policy
Events of this type include those alerting on activities associated with Instant Messaging (IM), Internet
Relay chat (IRC), and Peer to Peer programs (P2P). Some security policies forbid such traffic on their
network; for example, within a corporate common operation environment (COE); others may allow
them to various degrees. Universities, for example, typically have a totally open policy for running
these applications. Network Security Platform provides two means by which to tune out such events if
your policies deem these events uninteresting. First, you can define a customized policy in which these
events are disabled. In doing so, the Sensor will not even look for these events in the traffic stream to
which the policy is applied. If these events are of interest for most of the hosts except a few, creating
exception objects to suppress alerts for the few hosts is an alternative approach.
Correct identification — significance subject to user sensitivity (also known
as noise)
There is another type of event which you may not be interested in, due to the perceived severity of
the event. For example, Network Security Platform will detect a UDP-based host sweep when a given
host sends UDP packets to a certain number of distinct destinations within a given time interval.
Although you can tune this detection by configuring the threshold and the interval according to their
sensitivity, it's still possible that some or all of the host IPs being scanned are actually not live. Some
users will consider these alerts as noise, others will take notice because it indicates possible
reconnaissance activity. Another example of noise would be if someone attempted an IIS-based attack
against your Apache Web server. This is a hostile act, but it will not actually harm anything except
wasting some network bandwidth. Again, a would-be attacker learns something he can use against
30
McAfee Network Security Platform 8.3
Troubleshooting Guide
Determine false positives
Tune your policies
3
your network: Relevance analysis involves the analysis of the vulnerability relevance of real-time
alerts, using the vulnerability data imported to Manager database. The imported vulnerability data can
be from Vulnerability Manager or other supported vulnerability scanners such as Nessus.The fact that
the attack failed can help in zero in on the type of Web server you use. Users can also better manage
this type of events through policy customization or installing attack filters.
The noise-to-incorrect-identification ratio can be fairly high, particularly in the following conditions:
•
the configured policy includes a lot of Informational alerts, or scan alerts which are based on
request activities (such as the All Inclusive policy)
•
deployment links where there is a lot of hostile traffic, such as in front of a firewall
•
overly coarse traffic VIDS definition that contains very disparate applications, for example, a highly
aggregated link in dedicated interface mode
Users can effectively manage the noise level by defining appropriate VIDS and customize the policy
accordingly. For dealing with exceptional hosts, such as a dedicated pentest machine, alert filters can
also be used.
Determine a false positive versus noise
Some troubleshooting tips for gathering the proper data to determine whether you are dealing with a
false positive or uninteresting event;
•
What did you expect to see? What is the vulnerability, if applicable, that the attack indicated by the
alert is supposed to exploit?
•
Ensure that you capture valid traffic dumps that are captured from the attack attempt (for
example, have packet logging enabled and can view the resulting packet log)
•
Determine whether any applications are suspected of triggering the alert—which ones, which
versions, and in what specific configurations.
If you intend to work with McAfee Technical Support on the issue, we ask that you provide the
following information to assist in troubleshooting:
•
If this occurred in a lab using testing tools rather than live traffic, please provide detailed
information of the attack/test tool used, including its name, version, configuration and where the
traffic originated.
•
If this is a testing environment using a traffic dump relay, make sure that the traffic dumps are
valid, TCP traffic follows a proper 3-way handshake, and so on.
•
Also, please provide detailed information of the test configuration in the form of a network
diagram.
•
Export Alert Details and Packet Capture (within Attack Log).
•
Be ready to tell Technical Support how often you are seeing the alerts and whether they are
ongoing.
McAfee Network Security Platform 8.3
Troubleshooting Guide
31
3
Determine false positives
Tune your policies
32
McAfee Network Security Platform 8.3
Troubleshooting Guide
4
System fault messages
This section lists the system fault messages visible in the Manager Operational Status viewer,
organized by severity, with Critical messages first, then Errors, then Warnings, then Informational
messages.
You can view the faults from the Operational Status menu in Manager. For more information, see fault
messages for Vulnerability Manager Scheduler and Automatic report import using Scheduler, McAfee
Network Security Platform Integration Guide.
The fault messages you might encounter, their severity, and a description, including information on
what action clears the fault are briefed. In many cases, the fault clears itself if the condition causing
the fault is resolved. In cases where the fault does not clear, you must acknowledge or delete it to
dismiss it.
For Sensor faults, go through Manager and Sensor faults. Similarly for NTBA issues, refer to Manager
and NTBA faults.
Contents
Manager faults
Sensor faults
NTBA faults
Manager faults
The Manager faults can be classified into critical, error, warning, and informational. The Action column
provides you with troubleshooting tips.
Manager critical faults
These are the critical faults for a Manager and Central Manager.
Fault
Severity
Description/Cause
Action
AD groups size
exceeded
Critical
Currently Manager-MLC
integration supports only 2,000
AD groups for NS-series and
Virtual IPS and 10,000 AD
groups for M-series which has
exceeded now. Sensor behavior
cannot be guaranteed, if these
numbers are not brought down.
Reduce the number of
admin domain user groups
to be within the specified
limit.
Approaching max
allowable table size
Critical
<Percentage value>% capacity.
Current largest table size:
<Table size value>. To ensure
successful database tuning,
Manager begins to drop alerts
and packet logs.
Please perform maintenance
operations to clean and tune
the database.
McAfee Network Security Platform 8.3
Troubleshooting Guide
33
4
34
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
AD groups size
limitation
Critical
Currently Manager-MLC
integration supports only {0}
AD groups. Sensor version {1}
cannot accommodate {2} AD
groups
Reduce the number of
groups in Active Directory.
Audit failed and
Manager shutting
down
Critical
The Manager is not able to log
an audit and is shutting down.
Check ems log to determine
the reason for audit failure.
Callback detectors
deployment failure
Critical
Cannot deploy the callback
detectors to device
<Sensor_name>. See system
log for details.
Occurs when the Manager
cannot push the BOT DAT
file to the Sensor. This can
result from network
connectivity issue.
Cannot push down
persisted Device
configuration
information
Critical
The attempt by the Manager to
deploy the configuration to
device {0} failed during device
re-initialization. The device
configuration is now out of sync
with the Manager settings. The
device may be down. See the
system log for details.
The Manager cannot deploy
the original device
configuration during device
re-initialization. This can
also occur when a failed
device is replaced with a
new unit, and the new unit
is unable to discover its
configuration information.
Cannot pull up
Sensor
configuration MIB
information from
the Sensor again
during a state
transition from
disconnected to
active
Critical
Device re-discovery failure. The
upload of device configuration
information for device {0} failed
again after being triggered by
the status polling thread. The
device is not properly initialized.
This fault occurs as a second
part to the “device discovery
failure” fault. If the
condition of the device
changes such that the
Manager can again
communicate with it, the
Manager again checks to see
if the device discovery was
successful. This fault is
issued if discovery fails, thus
the device is still not
properly initialized. Check to
ensure that the device has
the latest software image
compatible with the
Manager software image. If
the images are
incompatible, update the
device image via a tftp
server.
Cannot start control Critical
channel service
(key store)
The Manager's key file is
unavailable and possibly
corrupted. This fault could
indicate a database corruption.
If you have a database
backup file (and think it is
not corrupted) you can
attempt a Restore. If this
does not work, you may
need to manually repair the
database. Contact McAfee
Technical Support.
Cannot start control Critical
channel service
(EMS certificate)
Can't obtain the Manager
certificate
If you have a database
backup file (and think it is
not corrupted), you can
attempt a Restore. If this
does not work, try executing
the Database Maintenance
action.
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
4
Fault
Severity
Description/Cause
Action
Cannot generate
the SNMP
association for the
specified Sensor
Critical
Failed to create command
channel association. The device
is not properly initialized. This
error indicates a failure to
create a secure connection
between the Manager and the
device, which can be caused by
loss of time synchronization
between the Manager and
device or that the device is not
completely online after a reboot.
Restart the Manager and
check the device operating
status to ensure that the
device’ health and status are
good.
Cluster software
mismatch status
Critical
The software versions on the
cluster primary and cluster
secondary are not the same.
Check for errors in software
image download to cluster.
Database backup
failed
Critical
The Manager was unable to
back up its database. Error
Message: <exception string>.
This message indicates that
an attempt to manually back
up the database backup has
failed. The most likely cause
of failure is insufficient disk
space on the Manager
server; the backup file may
be too big. Check your disk
capacity to ensure there is
sufficient disk space, and try
the operation again.
Disk space warning
Critical
When the utilized disk space in
the Manager server exceeds
89% of the capacity.
Make sure that the drive
where the Manager is
installed has sufficient disk
space. Please prune and
tune the database.
Example:
• Disk space used = 90%
invokes a critical fault.
Dropping alerts and Critical
packet logs
<Percentage value>% capacity. Please perform maintenance
Dropping alerts and packet logs. operations to clean and tune
the database.
DXLService is down
The DXLService is down due to:
Critical
• Failure to connect to the
ePolicy Orchestrator Server.
• Failure to connect to the Data
eXchange Layer.
• Failure to start the McAfee
Agent service.
• Failure to start the Data
eXchange Layer service.
Fan error
Critical
McAfee Network Security Platform 8.3
The fan has failed.
• Check the connectivity
between IPS and ePO, or
check the logs.
• Check the connectivity
between IPS and Data
eXchange Layer, or check
the logs.
• Check the logs.
• Check the logs.
Check the fan LEDs on the
front of the device to ensure
all internal fans are
functioning. The fault clears
when the temperature falls
below its internal ‘low’
temperature threshold.
Troubleshooting Guide
35
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
Firewall connectivity Critical
failure
The connectivity between the
device and the firewall is down.
Check Packet Capture
configuration is down.
This fault can occur in
situations where, for
example, the firewall
machine is down, or the
network is experiencing
problems. Ping the firewall
to see if the firewall is
available. Contact your IT
department to troubleshoot
connectivity issues.
Gateway
Anti-Malware
engine initialization
failed
Critical
Gateway Anti-Malware Engine
Initialization failed due to some
internal error.
Check the logs. Try enabling
automatic signature update
option or downloading
signatures manually using
cli.
Gateway
Anti-Malware
signature download
failure
Critical
Gateway Anti-Malware Engine
could not be initialized as the
required signature files are not
available.
Gateway Anti-Malware signature Check the logs.
download failed because of
Try enabling automatic
signature update failed.
signature update option or
Gateway Anti-Malware signature downloading signatures
download failed because of
manually using CLI.
signature is not available.
Check the network
Gateway Anti-Malware signature connection.
could not be downloaded
Check the network
because of update server
connection.
connection issue.
Gateway Anti-Malware signature Configure appropriate
credentials for proxy.
validation failed.
Gateway Anti-Malware signature
could not be downloaded as
update server is not reachable.
Gateway Anti-Malware signature
could not be downloaded as
DNS resolution failed for
Anti-Malware update server.
Gateway Anti-Malware signature
could not be downloaded
because proxy server is not
reachable.
Gateway Anti-Malware signature
could not be downloaded
because proxy authentication
failed
Geo IP location file
download failure
36
Critical
McAfee Network Security Platform 8.3
Cannot push Geo IP location file
to device <Sensor_name>. See
system log for details.
Occurs when the Manager
cannot push the Geo IP
Location file to a Sensor.
Could result from a network
connectivity issue.
Troubleshooting Guide
System fault messages
Manager faults
4
Fault
Severity
Description/Cause
Action
GTI File Reputation
DNS Error
Critical
Connectivity to Artemis server is You may need to correct the
restored. Error connecting to
Artemis DNS configuration.
local DNS server";
Malformed DNS response from
Artemis server";
Error connecting to Artemis
server";
Information not available in
Artemis server";
Sensor internal memory error
on connecting to Artemis
server";
Sensor internal query error on
connecting to Artemis server";
Unknown internal error on
connecting to Artemis server";
Hardware error
Critical
This is a Generic Hardware
related error in the device.
Check the device to know
more.
Incompatible
custom attack
Critical
One or more custom attack
definition is incompatible with
the current signature set. Error
message: <exception string>.
The Custom Attack Editor
indicates which definitions
are incompatible.
(Incompatibility could result
from attack or signature
overlap.) Update the
definition in the Custom
Attack Editor and try again.
Incompatible UDS
signature
Critical
A user-defined signature (UDS)
is incompatible with the current
signature set.
You will need to edit your
existing UDS attacks to
make them conform to the
new signature set
definitions. Bring up the
Custom Attack Editor (IPS
Settings > Advanced Policies
> Custom Attack Editor) and
manually performing the
edit / validation.
This fault clears when a
subsequent UDS compilation
succeeds.
Link failure of
<Sensor>
Critical
The link between this port and
This is a connectivity issue.
the external device to which it is Contact your IT department
connected is down.
to troubleshoot network
connectivity. This fault
clears when communication
is re-established.
Low JVM Memory
Critical
The Manager is experiencing
high memory usage. Available
system memory is low.
Reboot the Manager server.
Low Tomcat JVM
Memory
Critical
The Manager is experiencing
high memory usage. Available
system memory is low.
Reboot the Manager server.
McAfee Network Security Platform 8.3
Troubleshooting Guide
37
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
Packet log save
failed
Critical
The Manager was unable to
access the packet log tables in
the database. Error Message:
<exception string>.
An attempt to save packet
log data to the database
failed, most likely due to
insufficient database
capacity. Please ensure that
the disk space allocated to
the database is sufficient,
and try the operation again.
Power supply error
Critical
There is a power supply error to
the device. Restore the power
supply to clear this fault.
Check power to the outlet
providing power to the
power supply; if a power
interruption is not the
cause, replace the failed
power supply.
<Sensor_name>
configuration
update failure
Critical
The attempt by the Manager to
deploy the configuration to
device <Sensor_name> failed
during device re-initialization.
The device configuration is now
out of sync with the Manager
settings. The device may be
down. See the system log for
details.
The Manager cannot push
the original device
configuration during device
re-initialization. This can
also occur when a failed
device is replaced with a
new unit, and the new unit
is unable to discover its
configuration information.
Sensor attack
detection error
Critical
The Sensor attack detection
stopped on one or more
engines. Device reboot may be
required to resolve the issue.
Message generated based
on the Sensor attack
detection error. A device
reboot may be required.
Simultaneous FIPS
role logon
Critical
Users from all three FIPS mode
roles (Audit Administrator,
Crypto Administrator and
Security Administrator) have
logged onto the Manager at the
same time.
This message is
informational.
Software error
Critical
A recoverable software error has This error may require a
occurred within the device. A
reboot of the device, which
device reboot may be required. may then resolve the issue
causing the fault.
Temperature error
Critical
Device temperature is outside
its normal range.
Check the fan LEDs on the
front of the Sensor to
ensure all internal device
fans are functioning. This
fault will clear when the
temperature returns to its
normal
Critical
This fault can be due to two
reasons - SNMPD process
restart exceeded the maximum
threshold or due to
communication failure in the
management processor.
Manually reboot the Sensor,
which may then resolve the
issue causing the fault.
Critical
The attempt to import the IPS
signature set into the Manager
was not successful.
A valid signature set must
be present before any action
can be taken in Network
Security Platform.
SNMP query
Device reboot
required
Signature set
IPS signature set
import failure
38
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
4
Fault
Severity
Description/Cause
Action
Memory Error
Critical
This is a Generic Memory
related error in the device.
Check the device to know
more.
Signature set
import failed
Critical
The attempt to import the
signature set into the Manager
was not successful. (A valid
signature set must be present
on the Manager for it to work as
expected.)
A valid signature set must
be present before any action
can be taken in Network
Security Platform.
Signature set
download failure
Critical
The attempt by the Manager to
deploy the signature set to
device <Sensor_name> failed.
See the system log for details.
(The Manager will continue to
attempt deployment.)
Occurs when the Manager
cannot push the signature
set file to a Sensor. Could
result from a network
connectivity issue.
The Manager is unable to
communicate with the Update
Server.
This fault clears when
communication with the
Update Server succeeds.
Any connectivity issues with the
Update Server will generate this
fault, including DNS name
resolution failure, Update Server
failure, proxy server
connectivity failure, network
connectivity failure, and even
situations where the network
cable is detached from the
Manager server.
If your Manager is
connected to the Internet,
ensure it has connectivity to
the Internet.
Server communication
Communication
failure with the
Network Security
Platform Update
Server
Critical
Communication
failure with the
proxy server
Critical
The Manager is unable to
communicate with the proxy
server. (This fault can occur only
when the Manager is configured
to communicate with a proxy
server.)
This fault clears when
communication to the
Update Server through the
proxy succeeds.
Communication
failure with the
McAfee Update
Server
Critical
The Manager is unable to
establish network connectivity
with the Update Server. See
system log for details.
Any connectivity issues with
the Update Server will
generate this fault, including
DNS name resolution failure,
Update Server failure, proxy
server connectivity failure,
network connectivity failure,
and even situations where
the network cable is
detached from the Manager
server. This fault clears
when communication with
the Update Server is
restored.
Manager Disaster Recovery(MDR)
Conflict in MDR IP
address type
Critical
Device detected a conflict with
MDR IP Address type as <IPv4/
IPv6> instead of type <IPv6/
IPv4>
You may need to correct the
MDR configuration.
Conflict in MDR
Mode
Critical
MDR mode: Manager IP
address / MDR status.
There is a problem with
MDR configuration. Check
your MDR settings.
McAfee Network Security Platform 8.3
Troubleshooting Guide
39
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
Conflict in MDR Pair
IP address
Critical
Device detected a conflict with
MDR-Pair IP Address:
Manager-IP address / MDR
action.
You may need to correct the
MDR configuration.
Conflict in MDR
Status
Critical
Sensor found a conflict with
MDR-Status; ISM-IPAddress /
MDR-Status as <ISMAddress> /
Up/Down and
<PeerISMAddress> / Up/Down
There is a problem with
MDR configuration. Check
your MDR settings.
Generic device error Critical
Review device status.
MDR - system time
synchronization
error
Critical
The two Managers in an MDR
pair must have the same
operating system time. Ensure
both Managers are in sync with
the same time source.
(Otherwise, the device
communication channels will
experience disconnects.)
Ensure both Managers are in
sync with current time.
MDR pair changed
<NSM Name or
NSCM Name>
Critical
The < NSM Name or NSCM
Name> Manager is
<previousPrimaryIpAddr/
previousSecIpAddr> and now
primary and secondary are
<presentPrimaryIpAddr/
presentSecIpAddr>.
Corrected the MDR pair.
The Manager found InActive
(stand by) for now, the peer
Manager is either not reachable
or does not have data.
If the Manager that has
moved to MDR mode is
Network Security Central
Manager, then make the
Central Manager, which has
all the Network Security
Manager data as Active or
reform MDR.
The Manager
Critical
<Manager_name>
has switched to
MDR mode, and this
Manager cannot
handle the change
If the MDR moved Manager
is Network Security Manager
then make the Manager
which has Central Manager
data as active or make sure
that active Manager has
Central Manager
configuration data.
40
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
Fault
Severity
The Manager_name Critical
has moved to MDR
mode, and this
Manager cannot
handle the change
Description/Cause
Action
The Central Manager server is in
Standby mode. The Manager
server which is configured by
Central Manager goes into
secondary Standby mode after
MDR creation or before data
dump from primary to
secondary takes place.
If the Central Manager
server has moved to
Standby, then the Central
Manager with latest
Manager information is
moved to Active mode or
recreate MDR pair.
The Manager server configured
by Central Manager is in Active
mode but is in a disconnected
state and therefore cannot
communicate with Central
Manager.
If Manager is reconnected and
Central Manager is in Standby
mode, then the Peer Central
Manager does not have Manager
configuration.
If the Manager has moved
to Standby, then make the
Manager with Central
Manager information as
Active or make sure that
active Central Manager or
Manager has latest
configuration data.
The Manager has
moved to MDR
mode, and this
Manager cannot
handle the change
Critical
The Manager server is in
Standby mode(MDR action) and
active peer Manager does not
have Central Manager
information
There is conflict in
the MDR
configuration for
the Manager
<Manager_name>
Critical
The configuration between an
Dissolve and recreate an
existing MDR pair (Manager 1
MDR pair.
and Manager 2 - both Managers
are Central Manager configured)
is disabled and a new MDR pair
configuration has been created
with Manager 2 and Manager 3.
Manager 2 is in Standby mode
and Manager 3 does not have
Central Manager configuration
The MDR
Critical
connection is down.
The communication from
<Primary/Secondary> to
<Secondary/Primary> is down.
4
If the Manager server has
moved to Stand by, then
make Central Manager with
latest Manager information
as Active or reform MDR; if
the Manager has moved to
Standby, then make the
Manager with Central
Manager information as
Active or make sure that
active Central Manager or
Manager has latest
configuration data.
Please look into the
connection statuses of the
systems and manager logs.
Vulnerability Manager configuration
Scheduled
Vulnerability
Manager
vulnerability data
import failed
Critical
This message indicates that the
vulnerability data import by the
Scheduler from Vulnerability
Manager database has failed.
Refer to error logs for
details
Vulnerability data
import from
Vulnerability
Manager failed
Critical
Scheduled import of
vulnerability data failed from
FoundStone database server
into ISM database table
This message is
informational.
McAfee Network Security Platform 8.3
Troubleshooting Guide
41
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
On demand scan
failed
Critical
Scan failed because the
See the fault message
connection to Vulnerability
Manager Scan Engine was
refused. <Connection has been
reset by Foundstone Server.
Unable to communicate with
Foundstone Server. FoundScan
Engine may not be reachable or
Failed to resolve Fully Qualified
Domain Name SSL Handshake
with FoundScan Engine Failed.>,
<Please check if the FS API
Service port has been blocked
by Firewall or if valid port has
been specified. Please check the
ems log for more details. Try
adding the engine host name
entry to the DNS Server or Try
adding an entry for engine IP
and host name in hosts file
located in windows
\system2\drivers\etc. No
Trusted Certificate found, Please
check the Foundstone version
and certificates used for
communication. Please check if
the FS API Service port has
been blocked by Firewall or if
valid port has been specified.>
Failed to import a
non-MVM
vulnerability
assessment report
Critical
The report file may not have
been found or is in an
invalid format.
Advanced Threat Defense connectivity
Communication
failure with the
Advanced Threat
Defense device
Critical
The Manager is unable to
establish connectivity with the
Advanced Threat Defense (ATD)
device. See system log for
details. This fault will be cleared
when connection is restored.
Any connectivity issues with
the Advanced Threat
Defense (ATD) will generate
this fault, including ATD
device failure, network
connectivity failure, and
even situations where the
network cable is detached
from the Manager server.
This fault clears when
communication with the ATD
is restored.
Advanced Threat
Defense certificate
download failure
Critical
Cannot push Advanced Threat
Defense certificate to device
<Sensor_name>. See system
log for details.
Occurs when the Manager
cannot push the Advanced
Threat Defense to a device.
Could result from a network
connectivity issue.
Critical
Port conflict in Central Manager
custom attack definition
synchronization. Port
<port_name> is already in use.
Free this port for Central
Manager synchronization to
succeed.
Free this port for McAfee®
Network Security Central
Manager synchronization to
succeed.
Central Manager
Central Manager
custom attack
synchronization
failed
42
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
Fault
Severity
Description/Cause
Deleted Manager
information
Critical
The Manager information
See the fault message.
<mgr_ip_address> has been
deleted. Reason: <The action
Stand alone to MDR is received
where the peer is already
having configured
<standby_manager> and hence
deleting, mgr info of
<standby_managers> this LM
will be no longer trusted>.
Manager
<Manager_name>
unreachable
Critical
Connectivity with Manager
<Manager_name> has been
lost.
Manager
<Manager_name>
MDR error
Critical
Manager <Manager_name>
detected in standby mode. The
peer Manager
<peer_Manager_name> is
either not reachable or does not
have <configuration> data.
Action
Indicates that the Network
Security Central Manager
and Network Security
Managers cannot
communicate each other,
the connection between
these two may be down, or
the Manager has been
administratively
disconnected. Troubleshoot
connectivity issues: 1) check
that a connection route
exists between the Network
Security Central Manager
and the Network Security
Manager; 2) Access to the
Network Security Manager/
Network Security Central
Manager directly. This fault
clears when the Manager
detects the Sensor again.
If the above managers
which has moved to MDR
mode is Network Security
Central Manager, then make
the Central Manager which
as all the Network Security
Managers data as Active or
The Manager <Manager_name> reform MDR, if tbe MDR
used to be the <previousIp>/
moved manages is Network
<previousPeerIp> MDR
Security Manager, then
configuration and is now the
make the Manager which
<currentIp>/ <currentIpsPeer> has Central Manager data as
MDR configuration, and the
active or make sure that
primary Manager <currentIp> is active Manager has Central
not active and its peer
Manager configuration data.
<currentIpsPeer> does not have
<ICC> configured.
MDR configuration
Critical
conflict for Manager
<Manager_name>
Manager <primary_mgr_ip> is
in <standalone/MDR pair>
mode, and its peer Manager
<secondary_mgr_ip> is in
<standalone/MDR pair> mode.
MDR pair changed
This fault tells about change of
Correct the MDR pair.
MDR configuration for a Local
Manager or Central Manager.
The fault tells that for this
Manager, the IP addresses of
the underlying MDR pair has
changed. The fault gives the old
and new IP addresses of the
primary and secondary Manager.
Critical
McAfee Network Security Platform 8.3
4
Correct the MDR pair.
Troubleshooting Guide
43
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
The Manager
<Manager_name>
is not reachable
Critical
Indicates that the Network
Security Central Manager and
Manager cannot communicate
each other, the connection
between these two may be
down, or the Manager has been
administratively disconnected.
1 Check that a connection
route exists between the
Network Security Central
Manager and the Manager.
2 Access the Manager/
Network Security Central
Manager directly.
This fault clears when the
Manager detects the Sensor
again.
No
communication
exists between
Central
Manager and
Manager.
Indicates that the Central
Manager server and Manager
cannot communicate with each
other. The connection between
these two may be down, or
Central Manager has been
administratively disconnected.
1 Check that a connection route
exists between the Central
Manager and Manager;
2 Access the Manager directly.
This fault clears when the
Manager detects the Sensor
again.
Network Security
Central Manager
UDS signature
synchronization
failed
44
Critical
McAfee Network Security Platform 8.3
Port conflict in Network Security Free this port for Network
Central Manager UDS
Security Central Manager
synchronization. Port already in synchronization to succeed.
use by UDS. Free this port for
Central Manager synchronization
to succeed.
Troubleshooting Guide
System fault messages
Manager faults
Fault
Severity
Trust request failure Critical
Description/Cause
Action
The trust request has failed.
Error message: <exception
string>.
See additional text
information.
4
The trust request has failed
because Manager <Network
Security Central Manager> may
not be reachable. Please confirm
the Manager IP address and that
its service is up and running.
The trust request has failed
because manager <Network
Security Central Manager> has
not yet configured.
The trust request has failed
because the <Network Security
Central Manager> already has a
trust using the configured name.
The previous trusted with
<Network Security Central
Manager> may represent
Manager or another. The
solution is to delete and re-add
the configuration with <Network
Security Central Manager>.
The trust request has failed
because the configured Manager
is in MDR mode, and no active
<Network Security Central
Manager> Manager has been
detected with which to establish
the trust.
The trust request failed due an
internal error.
Alert queue threshold alarms
Alert save failed
Critical
The Manager was unable to
access the alert tables in the
database. Error Message:
<exception string>.
An attempt to save alerts to
the database failed, most
likely due to insufficient
database capacity. Please
ensure that the disk space
allocated to the database is
sufficient, and try the
operation again.
Alert capacity
threshold exceeded
Critical
<Percentage value>% capacity.
Number of alerts: <Number of
alerts> (Database maintenance
and tuning is required.)
Please perform maintenance
operations to clean and tune
the database.
Database
connectivity
problems
Critical
The Manager is having problems Please check if the database
Communicating with it's
service is running and
database. Error Message:
connectivity is present.
<exception string>.
Database
connectivity lost
Critical
The Manager has lost
connectivity with its database.
Error Message: <exception
string>
Please check the DB
Connectivity.
Database integrity
error
Critical
Unable to locate index file for
table: <index_file_name>.
Repair the corrupt Database
tables
McAfee Network Security Platform 8.3
Troubleshooting Guide
45
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
Exceeding alert
capacity threshold
Critical
As with the "Approaching alert
capacity threshold" fault
message, this message indicates
the percentage of space
occupied by alerts in the
database. This message appears
once you have exceeded the
alert threshold specified in
Manager | Maintenance.
Perform maintenance
operations to clean the
database. Delete
unnecessary alerts, such as
alerts older than a specific
number of days.
Failure to create additional
space could cause
undesirable behavior in the
Manager.
Licensing
License expires
soon
Critical
Indicates that your Network
Security Platform license is
about to expire; this fault first
appears 7 days prior to
expiration.
Contact
[email protected] for a
current license. This fault
clears when the license is
current. Please contact
Technical Support or your
local reseller.
License expired
Critical
Indicates that your Network
Security Platform license has
expired.
Contact
[email protected] for a
current license.
This fault clears when the
license is current.
Virtual IPS Sensor
License
non-compliance
Critical
When the number of virtual IPS
Sensors installed crosses the
licenses purchased, this fault
appears in the Manager.
Import the required licenses
to the Manager before
installation, or please
contact Technical Support or
your local reseller.
Manager does not
have enough
licenses to manage
the current number
of virtual IPS
Sensors
Critical
The number of licenses needed
to become compliant.
Contact Technical support or
your local reseller to obtain
a License.
McAfee Cloud Threat Detection (CTD)
Invalid CTD
subscription
Critical
File submission attempts to the
McAfee CTD advanced malware
engine are currently rejected
because the activation key used
for CTD integration is not
associated with a valid customer
subscription.
Correct the subscription in
the ePO Cloud console and
import a new activation key
into the Manager
Expired CTD
subscription
Critical
File submission attempts to the
McAfee CTD advanced malware
engine are currently rejected
because the activation key used
for CTD integration is associated
with an expired subscription.
Correct the subscription in
the ePO Cloud console and
import a new activation key
into the Manager.
CTD file submission
limit reached
Critical
The daily limit for file
submissions to the McAfee CTD
advanced malware engine has
reached.
An additional license may be
required.
Daily Limit: {0}
Actual Submissions: {1}
46
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
4
Manager error faults
These are the error faults for a Manager and Central Manager.
Fault
Severity Description/Cause
Action
Anti-virus DAT file
error
Error
A Device is detecting an error on
av-dat file segment <segment_id>.
The segment error cause is
<unknown cause>, and the
download type is <init/update>.
Make sure that the Sensor is
online and in good health.
The Manager will make
another attempt to push the
file to the Sensor. This fault
will clear when the av-dat
file is successfully pushed to
the Sensor.
Device in bad health
Error
Please check the running status of
device <device_name>. This fault
occurs with any type of device
software failure. (It usually occurs in
conjunction with a software error
fault.)
If this fault persists, we
recommend that you
perform a Diagnostic Trace
and submit the trace file to
Technical Support for
troubleshooting.
ePO Server
Connection Error
Error
The Manager has no connection to
the configured ePO server.
Indicates that the Manager
has no connection to the
configured ePO server. This
can be due to network
connectivity issues, incorrect
credentials, or incorrect
configuration. Refer to the
ePO integration
documentation for more
information.
Export of custom
policy error
Error
Error: "Script takes long time".
Disable Internet Explorer
Enhanced Security
Configuration. To disable, go
to Control Panel | Add or Remove
Programs | Add/ Remove Windows
Components, the Windows
Components Wizard window
opens. Select the Internet
Explorer Enhanced Security
Configuration and click Next.
Click Stop the script.
Custom policies are exported
forever unsuccessfully when using
Internet Explorer 10 in combination
with Windows Server 2008/2012.
Firewall filter
application error
Error
Error applying firewall filter
<FILTER: [AttackID=<attackId>]
[VidsID=<vidsId>]
[SrcIP=<srcIP>] [DstIP=<dstIP>]
[Port=<port>]
[Protocol=<protocol>]
[type=<typeString>]> An attempt
to apply this firewall filter from the
device to the firewall has failed.
Failure reason: <Exceed Max
Number of Filters
Check your firewall
configuration. If possible,
increase the maximum
number of available filters.
Ensure connectivity between
the Sensor and the firewall.
Error Applying Filter
Timeout During Adding Filter
Unknown Host Isolation Error#>
McAfee Network Security Platform 8.3
Troubleshooting Guide
47
4
System fault messages
Manager faults
Fault
Severity Description/Cause
IP: IPS quarantine
Error
block nodes exhausted
MLC Server
Connection Error
Error
Action
When the number of quarantine
rules exceed the permitted limit, the
Central Manager raises a fault
message to the Manager when the
number of quarantine rules exceeds
the maximum permitted limit. This
can be viewed as an alert in the
Attack Log page.
For more information on
quarantine and remediation
functionality, see Quarantine
settings.
Manager has no connection to
configured MLC server.
Indicates that the Manager
has no connection to the
configured MLC server. This
can be due incorrect
certificate import, network
connectivity issues or issues
internal to the MLC server.
Refer to the MLC integration
documentation for more
information.
Indicates that the Manager
has reached the limit
(default of 100,000) of
alerts that can be queued
for storage in the database.
Alerts are being detected by
your Sensor(s) faster than
the Manager can process
them. This is evidence of
extremely heavy activity.
Check the alerts you are
receiving to see what is
causing the heavy traffic on
the Sensor(s).
You can have up to
1000 Quarantine rules
for an IPv4 addresses,
and up to 500
Quarantine rules for
IPv6 addresses.
Mail server and queue
48
Alert queue full
Error
The Manager has reached its limit
<queue_size_limit> for alerts that
can be queued for storage in the
database. (<no_of_alerts> alerts
dropped)
E-mail server
unreachable
Error
Connection attempt to e-mail server This fault indicates that the
<mail server> failed. Error:
SMTP mailer host is
<Messaging Exception String>.
unreachable, and occurs
when the Manager fails to
send an email notification or
a scheduled report. This
fault clears when an attempt
to send the email is
successful.
Packet log queue full
Error
The Manager packet log queue has
reached its maximum size of
<pktlog_queue_size_limit>.
(<no_of_pktlogs_dropped>
packets)
McAfee Network Security Platform 8.3
The Manager packet log
queue has reached its
maximum size (default
200,000 packets), and is
unable to process packets
until there is space in the
queue. Packets are being
detected by your Sensor(s)
faster than the Manager can
process them. This is
evidence of extremely heavy
activity. Check the packets
you are receiving to see
what is causing the heavy
traffic on the Sensor(s).
Troubleshooting Guide
4
System fault messages
Manager faults
Fault
Severity Description/Cause
Action
Error
This is evidence of
extremely heavy activity.
Check the packet logs you
are receiving to see what is
causing the heavy traffic on
the Sensor.
The Manager packet log queue has
reached its maximum size (default
200,000 alerts), and is unable to
process packet logs until there is
space in the queue.
Also see the suggested
actions for the alert
Unarchived, queued alert
count full.
Packet capturing error Error
The device detected an error
connecting to the SCP server while
attempting to transfer a packet
capture file.
Device shall attempt to
automatically recover. Check
Packet Capture
configuration.
The device is unable to send the
packet capture file via SCP.
The device has stopped capturing
packets due to insufficient internal
memory.
The device experienced an internal
error while performing the packet
capture.
The device is unable to authenticate
with target server to transfer a
packet capture file.
Queue size full
Syslog Server
unreachable
McAfee Network Security Platform 8.3
Error
Error
The Manager alert queue has
reached its maximum size (default
200,000 alerts), and is unable to
process alerts until there is space in
the queue. Alerts are being detected
by your Sensor(s) faster than the
Manager can process them. This is
evidence of extremely heavy
activity.
Check the alerts you are
receiving to see what is
causing the heavy traffic on
the Sensor(s).
The Manager alert slow consumer
(SNMP Trap forwarder) queue has
reached its maximum size of alerts
dropped)
The Manager alert slow
consumer (SNMP Trap
forwarder) queue has
reached its maximum size,
and is unable to forward
alerts until there is space in
the queue. Alerts are being
detected by your Sensor(s)
faster than the Manager can
process them. This is
evidence of extremely heavy
activity. Check the alerts you
are receiving to see what is
causing the heavy traffic on
the Sensor(s).
Connection attempt to Syslog server This fault indicates that the
<server address> failed. Error:
Syslog Server is
<Syslog TCP connection failed>.
unreachable, and occurs
when the Manager fails to
send an syslog notification.
This fault clears when an
attempt to send the syslog
is successful.
Troubleshooting Guide
49
4
System fault messages
Manager faults
Fault
Severity Description/Cause
Action
Unarchived, queued
packet log count full
Error
Indicates that the Manager has
reached the limit (default of
100,000) of packet logs that can be
queued for storage in the database.
Also indicates the number of
dropped packet logs.
Indicates that the Manager
has reached the limit
(default of 100,000) of
packets that can be queued
for storage in the database.
Packets are being detected
by your Sensor(s) faster
than the Manager can
process them. This is
evidence of extremely heavy
activity. Check the packets
you are receiving to see
what is causing the heavy
traffic on the Sensor(s).
A Device configuration update failed
to be pushed from the Manager
server to the Sensor.
Please see ems.log file to
isolate reason for failure.
Please perform maintenance
operations to clean and tune
the database.
Update device configuration
Device configuration
update failed
Error
Alert capacity monitor
Approaching alert
capacity threshold
Error
<Percentage_value>% capacity.
Number of alerts:
<number_of_alerts>. (Database
maintenance and tuning is
recommended.)
Approaching alert
capacity
Error
Current database size is <x> GB
and disk capacity is <y>.
Alert queue threshold alarms
Alert pruning failure
Error
The Manager was unable to prune
Check your Database
alerts and packet logs during normal Connections
maintenance. Error Message:
<exception string>.
Device upload scheduler
Scheduled callback
detector deployment
failure
Error
The Manager was unable to perform Indicates that the Manager
the scheduled BOT DAT deployment was unable to perform the
to the device <Sensor_name>.
scheduled BOT DAT
deployment to the Sensor.
This is because of network
connectivity between the
Manager and the Sensor, or
an invalid DAT file. This fault
clears when an update is
sent to the Sensor
successfully.
Scheduled IPS
signature set
deployment failure
Error
The Manager was unable to perform
the scheduled signature set
deployment to the device. Error
Message: <exception string>.
This fault can indicate
problems with network
connectivity between the
Manager and the Sensor,
incompatibility between the
update set and the Manager
software, compilation
problems with the signature
update set, or an invalid
update set. This fault clears
when an update is sent to
the Sensor successfully.
Real-time update scheduler
50
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
4
Fault
Severity Description/Cause
Real-time
Scheduler -signature
set update from
Manager to Sensor
failed
Error
Unable to make scheduled signature This fault can indicate
set update from the Manager to
problems with network
Sensor.
connectivity between the
Manager and the Sensor.
This fault clears when a
signature update is applied
successfully.
Scheduled real-time
update from Update
Server to Manager
failed
Error
Unable to make scheduled update of This fault clears when a
Manager signature sets. This fault
signature update is applied
can indicate—for example, problems successfully.
with network connectivity between
the Update Server and the Manager
or between the Manager and the
Sensor; invalid update sets; or
update sets that were not properly
signed.
Scheduled BOT DAT
signature set
download failure
Error
The Manager is unable to perform
the scheduled BOT DAT signature
set download from the GTI Server.
Error Message: <exception string>.
This fault can indicate
problems with network
connectivity between the
GTI Server and the Manager,
invalid BOT DAT file. This
fault clears automatically
once a new signature set
update is successfully
installed.
Scheduled IPS
signature set
download failure
Error
The Manager is unable to perform
the scheduled signature set
download from the Update Server.
Error Message: <exception string>.
This fault can indicate
problems with network
connectivity between the
Update Server and the
Manager ; invalid update
sets; or update sets that
were not properly signed.
This fault clears when a
signature update is applied
successfully.
Queue size full
Error
The Manager alert queue has
reached its maximum size (default
200,000 alerts), and is unable to
process alerts until there is space in
the queue. Alerts are being detected
by your Sensor(s) faster than the
Manager can process them. This is
evidence of extremely heavy
activity.
Check the alerts you are
receiving to see what is
causing the heavy traffic on
the Sensor(s).
McAfee Network Security Platform 8.3
Action
Troubleshooting Guide
51
4
System fault messages
Manager faults
Manager warning faults
These are the warning faults for a Manager and Central Manager.
Fault
Severity Description/Cause
Action
Disk Space Warning
Warning
Make sure that the drive
where the Manager is
installed has sufficient disk
space.
When the utilized disk space on the
Manager server is between 80% and
89%.
Example:
• Used disk space = 80% invokes a
warning.
• Used disk space = 79% does not
result in any fault.
Failed to backup IDS Warning
Policy
Warning
Failed to backup Policy.
Delete previous versions.
Failed to backup Policy.
Please contact technical
support or local reseller.
Failed to backup
Recon Policy
Warning
Failed to backup Policy.
Please contact technical
support or local reseller.
Warning
Failed to backup Policy.
Delete previous version.
Warning
The Audit Log capacity of the Manager
was reached, and the Manager will
begin overwriting the oldest records
with the newest records (i.e. first in
first out).
This fault will be raised
after a configured number
of records written. No
action is required.
Initiating Audit Log
file rotation
The fault indicates the number of
records that have been written to the
audit log; and equal number of audit
log records are now being overwritten.
The capacity is configured
in the iv_emsproperties
table in MySQL; this option
can be turned off. If this
feature is enabled, when
disk capacity is reached or
audit log capacity is
reached, then Audit Log
rotation is initiated.
Invalid Malware File
Archive Storage
Settings
Warning
The available free disk space on the
Manager is less than the disk space
required to support the current
malware storage settings.
Reduce the maximum disk
space allowed for one or
more file type.
MLC IP - User
mapping/User count
exceeds limit
Warning
Currently, NSM-MLC integration
supports only 100000 IP-user mapping
and 75000 users. One of these has
exceeded, so the device behavior
cannot be guaranteed until these
numbers are brought down.
Check the MLC server
configured with this
Manager. Consider reducing
the number of users/
computers that is
monitored by MLC.
Packet capture
complete
Warning
The device is near capacity. Packet
Check Packet Capture
captures might not capture all packets. configuration and restart if
required.
Policy Update Failed
Warning
Failed to update following policies
during Signature Set import. Please
edit the policy to fix the issue.
System startup in
progress; alerts
being restored
Warning
System startup restored alerts from
Attack Log page may not
the archive file. Attack Log page may not show all alerts.
show all alerts.
Please edit the policy to fix
the issue.
Vulnerability Manager configuration
IPS policy backup
failure
52
Warning
McAfee Network Security Platform 8.3
Failed to back up policy
<policy_name>.
See ems logs.
Troubleshooting Guide
4
System fault messages
Manager faults
Fault
Severity Description/Cause
Warning
Reconnaissance
Warning
policy backup failure
Warning
A non-MVM
vulnerability
assessment report
has been imported
with warnings
Action
Failed to back up policy
Delete previous versions.
<policy_name>. The maximum limit of
<value> has been reached.
Failed to back up policy
<policy_name>.
See ems logs.
Failed to back up policy
Delete previous versions.
<policy_name>. The maximum limit of
<value> has been reached.
Warning
The timestamp on the
newly-imported report is
the same as or older than
the previously imported
report. Confirm that your
process to copy new report
files to the Manager file
system is functioning
properly.
Policy synchronization
Policy
synchronization
aborted
Warning
Policy synchronization has aborted
because concurrent processes are
running on the Manager.
Policy Synchronization
aborted because concurrent
processes are running on
the Network Security
Manager.
Policy
Synchronization
aborted because
concurrent
processes are
running on the
Manager Server
Warning
Unable to synchronize policy due to
concurrent processes are running on
the Manager Server.
Try again later .
Scheduled configuration report
Scheduled reports
error
Warning
Report generation failed for report
template <report_template_name>
because one or more of the selected
resources is no longer available.
Edit and save the disabled
template in Report
Generation.
Manager Disaster Recovery(MDR)
MDR - IPv4 and IPv6 Warning
address
configuration
You have specified only the peer
Manager <IPv4/IPv6> address. So you
cannot add any <IPv4/IPv6> devices
to the current Manager nor will the
existing <IPv4/IPv6> devices be able
to communicate to the peer Manager.
If Device is needed to
communicate over IPv6 to
Manager and Manager is in
mdr mode, then mdr has to
be reconfigured to include
IPv6 version of the peer
manager.
The Manager was not shut down
gracefully. (Database tuning is
recommended.)
Perform database tuning
(dbtuning) to fix possible
database inconsistencies
that may have resulted.
Tuning may take a while,
depending on the amount
of data currently in the
database.
Manager Reboot
Manager shutdown
was not graceful
Warning
McAfee Network Security Platform 8.3
Troubleshooting Guide
53
4
System fault messages
Manager faults
Fault
Severity Description/Cause
Action
McAfee Cloud Threat Detection (CTD)
CTD file submission
rate too high
Warning
One or more file submission to McAfee
CTD advanced malware engine is
rejected because the file submission
rate is too high.
An additional license may
be required.
Manager informational faults
These are the informational faults for a Manager and Central Manager.
54
Fault
Severity
Alert Archival state has
changed
Informational The alert archival process has
started.
Command to invoke
upload internal hosts
process to NSM
Informational The internal host information is sent This message is for
to the Manager.
user information. No
action required.
Cluster software
initialization status
Informational Device software has been
initialized.
On initialization failure,
check if cluster
cross-connects are
present as
documented.
Custom attacks are
being saved to the
Manager
Informational One or more custom attack
definition is in the process of being
saved from the Custom Attack
Editor to the Manager.
This message is for
user information. No
action required.
Database backup in
progress
Informational A database backup is in progress.
This message is
informational
Data dump retrieval
from peer has been
completed successfully
Informational The data dump retrieval from peer
has been completed successfully
This message is for
user information. No
action required.
Data dump retrieval
Informational The data dump retrieval from peer
from peer is in progress
is in progress
This message is for
user information. No
action required.
Database backup failure Informational Unable to backup database tables.
This message indicates
that an attempt to
manually back up the
database backup has
failed. The most likely
cause of failure is
insufficient disk space
on the Manager
server; the backup file
may be too big. Check
your disk capacity to
ensure there is
sufficient disk space,
and try the operation
again.
Manager Request is not Informational The Manager Request is not from
from Trusted IP Address
Trusted IP Address.
Ensure the Peer
Manager is not already
in MDR with other
Manager.
McAfee Network Security Platform 8.3
Description/Cause
Action
This message is for
user information. No
action required.
Troubleshooting Guide
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
Network Security
Platform-defined UDS
overridden by signature
set.
Informational An Network Security
Platform-defined UDS has been
incorporated in a new signature set
and has been removed from the
Custom Attack Editor.
This message is
informational and
indicates that an
emergency
McAfee-provided UDS
signature has been
appropriately
overwritten as part of
a signature set
upgrade.
Packet capture file
transfer status
Information
This message is
informational.
The device has started sending the
packet capture file via SCP.
Action
The device has completed sending
the packet capture file via SCP.
The device has stopped capturing
packets because it has reached the
configured maximum capture file
size.
The device has stopped capturing
packets because it has reached the
configured maximum duration.
The device is ready to transfer the
packet capture file to Manager.
Packet Log Archival
state has changed
Informational Indicates that the packet log
archival state has changed
Scheduler - Signature
Informational Scheduler - Signature download
download from Manager
from Manager to Sensor has failed.
to Sensor failed
Sensor software image
or signature set import
in progress
This message is for
user information. No
action required.
This message is for
user information. No
action required.
Informational A Sensor software image or
This message is for
signature set file is in the process of user information. No
being imported from the Network
action required.
Security Platform Update Server to
the Manager server.
Informational
This message is for
user information. No
action required.
Signature set update
failed
Informational Signature set update failed while
transferring from the Manager
server to the Sensor.
This message is for
user information. No
action required.
Signature set update
not successful
Informational The attempt to update the
signature set on the Manager was
not successful, and thus no
signature set is available on the
Manager.
You must re-import a
signature set before
performing any action
on the Manager. A
valid signature set
must be present before
any action can be
taken in Network
Security Platform.
Switchback has been
completed, the primary
Manager has got the
control of Sensors now
Informational N/A
This message is for
user information. No
action required.
McAfee Network Security Platform 8.3
Troubleshooting Guide
55
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
System startup in
process - alerts being
restored
Informational The Manager is starting up and
restoring alerts from the device
archive file. Attack Log page may not
show all alerts until the Manager is
fully online.
Action
You need to restart
Manager, to view the
restored alerts in the
Attack Log page.
Syslog Forwarder is not Informational ACL logging is enabled, but no
configured for the
Syslog server has been configured
Admin Domain: <Admin
to accept the log messages.
Domain Name> to
accept the ACL logs.
Configure a Syslog
server to receive
forwarded ACL logs.
Successful connection
Informational Successfully connected to the
to McAfee update server
McAfee update server for updates.
for updates.
This message is
informational.
Successful scheduled
DAT file download
Informational The scheduled DAT file download
from the McAfee GTI Server to the
Manager was successful.
This message is for
user information, no
action required
UDS export to the
Manager in progress
Informational One or more UDS is in the process
This message is for
of being exported from the Custom user information. No
Attack Editor to the Manager server. action required.
Vulnerability Manager configuration
Successful vulnerability
data import from
Vulnerability Manager
Informational Vulnerability data successfully
imported from FoundStone
database server into ISM database
table.
This message is
informational.
No vulnerability records found for
import from FoundStone database.
Scheduled Vulnerability
Manager vulnerability
data import failed
Informational Scheduled Vulnerability Manager
vulnerability data import has failed
Refer to error logs for
details
Vulnerability data
Informational This message indicates that the
import from McAfee
vulnerability data import from
Vulnerability Manager
McAfee Vulnerability Manager
database was successful
database is successful.
For more information on importing
vulnerability data reports in
Manager, see Importing
Vulnerability Scanner Reports,
McAfee Network Security Platform
Integration Guide.
Successful import of a
non-MVM vulnerability
assessment report
Informational
This message is
informational.
Policy synchronization
Deleted NSCM rule set
in use
Informational Rule set is currently assigned to one Remove the reference
or more resource. Create a clone
and try again.
before deletion.
Deleted NSCM attack
filter in use
Informational Attack filter is currently assigned to
one or more resource. Create a
clone before deletion.
Remove the reference
and try again.
Deleted NSCM policy in
use
Informational Policy is currently assigned to one
or more resource. Create clone
before deletion.
Remove the reference
and try again.
Central Manager
56
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
Description/Cause
4
Fault
Severity
Action
Deleted Network
Security Central
Manager Exception
object is applied on
resource
Informational Exception object is applied on
Deleted Network
resource(s). Creating a clone before Security Central
delete.
Manager Exception
object is applied on
resource(s)
Deleted Central
Manager policy is
applied on resources
Informational Deleted Central Manager policy is in Remove the reference
use
and try again
Policy <policy name> is applied on
resources. Creating clone <policy
name> before delete.
Remove the reference
and try again.
Reset to standalone has Informational A "Reset to Standalone" has been
been invoked; the
invoked; the Primary Manager is
Primary <Manager/
standalone and is in control of
Central Manager> is in
Sensors
control of <Sensors/
Manager>
This message is for
user information, no
action required.
Reset to standalone is
invoked; the Secondary
<Manager/Central
Manager> is in control
of <Sensors/Manager>
This message is for
user information, no
action required.
Informational A "Reset to Standalone" has been
invoked; the Secondary Manager is
standalone and is in control of
Sensors
Reset to standalone is
Informational A "Reset to Standalone" has been
invoked; the <Manager/
invoked; the current Manager is
Central Manager> is in
standalone and in control of
control of <Sensors/
Sensors.
Manager>
This message is for
user information. No
action required.
Reset to standalone has Informational A "Reset to Standalone" has been
been invoked; the peer
invoked; the Peer Manager is
<Manager/Central
standalone and in control of
Manager> is in control
Sensors.
of <Sensors/Manager>
This message is for
user information. No
action required.
Alert queue threshold alarms
Alert archival in
progress
Informational The Manager is archiving alerts
Wait for the Alert
archival to complete
Packet log archival in
progress
Informational The Manager is archiving packet
logs
Kindly wait for the
Packet Log archival to
complete.
Manager Disaster Recovery(MDR)
Manager version
mismatch. Primary
Manager has latest
version
Informational The two Managers in an
configuration must have the same
Manager software version installed.
The Primary Manager software is
more recent than that of the
Secondary Manager.
Ensure the two
Managers run the
same software version.
Manager version
mismatch. Secondary
Manager has latest
version
Informational The two Managers in an MDR
configuration must have the same
Manager software version installed.
The Secondary Manager software is
more recent than that of the
Primary Manager.
Ensure the two
Managers run the
same software version.
MDR synchronization in
progress
Informational The synchronization from the peer
Manager is in progress.
This message is for
user information. No
action required.
McAfee Network Security Platform 8.3
Troubleshooting Guide
57
4
58
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
MDR synchronization
failure
Informational There was a problem while
retrieving data from the peer
Manager - aborting the
synchronization process.
Check whether the
peer Manager machine
is reachable from this
machine
MDR - Manager
<Central Manager/
Manager> switched
from <Standalone/
MDR> to <MDR/
Standalone> mode
Informational Manager <(mgr_name) OR (ICC)
(mgr_name)> is taking the control.
See the fault message.
MDR manual switch
over successful; the
Secondary <Manager/
Central Manager> is in
control of <Sensors/
Manager>
Informational Manager Disaster Recovery initiated This message is for
via a manual switchover, is
user information. No
successfully completed. Secondary
action required.
Manager is now in control of
Sensors.
MDR automatic
switchover has been
completed; the
Secondary <Manager/
Central Manager> is in
control of <Sensors/
Manager>
Informational Manager Disaster Recovery
switchover has been completed; the
Secondary Manager is in control of
Sensors.
Failover has occurred;
the Secondary
Manager is now in
control of the Sensors.
Troubleshoot problems
with the Primary
Manager and attempt
to bring it online again.
Once it is online again,
you can switch control
back to the Primary.
MDR configuration
information retrieval
from Primary Manager
successful
Informational Manager Disaster Recovery
Secondary Manager has
successfully retrieved configuration
information from the Primary
Manager.
This message is for
user information. No
action required.
MDR forced switch over
has been completed;
the Secondary
<Manager/Central
Manager> is in control
of <Sensors/Manager>
Informational Manager Disaster Recovery is
completed via a manual switchover.
Secondary Manager is now in
control of Sensors.
This message is for
user information, no
action required.
MDR operations have
been resumed
Informational Manager Disaster Recovery
functionality has been resumed.
Failover functionality is again
available.
This message is for
user information, no
action required.
MDR operations have
been suspended
Informational Manager Disaster Recovery
functionality has been suspended.
No failover will take place while
MDR is suspended.
This message is for
user information, no
action required.
MDR switchback has
been completed; the
Primary <Manager/
Central Manager> is in
control of <Sensors/
Manager>
Informational Manager Disaster Recovery
switchback has been completed;
the Primary Manager has regained
control of Sensors.
This message is for
user information, no
action required.
The Manager <mngr_name> is
<Primary/Secondary> and its peer
Manager, <peer_mgr_ip_addr> is
<Primary/Secondary>
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
Fault
Severity
Description/Cause
MDR pair is changed
Informational McAfee Network Security Central
Manager (Central Manager) has an
MDR pair created and the Manager
is in disconnected mode. If Central
Manager MDR pair is dissolved, and
recreated, making the existing
primary Manager as secondary
Manager and existing secondary
Manager as primary Manager, the
fault is raised.
4
Action
®
Dissolve and re-create
an MDR pair.
Network Security
Informational The two Managers in an MDR
Manager Type mismatch
configuration must have the same
Manager Type.
Ensure both Managers
are of same Type
(Network Security
Central Manager or
Network Security
Manager)
Successful MDR
synchronization from
<Network Security
Central Manager/
Network Security
Manager>
Informational The secondary <Central Manager/
Manager> has successfully
retrieved configuration information
from the primary <Central
Manager/Manager>.
This message is
informational.
Successful MDR
switchback. (Primary
<Central Manager/
Manager> will take
control of the
<Managers/Sensors>)
Informational The MDR switchback has completed
without error. (The primary
<Central Manager/Manager> will
take control of the <Managers/
Sensors>.)
This message is
informational.
Successful MDR manual
switchover. (Secondary
<Central Manager/
Manager> will take
control of the
<Managers/Sensors>)
Informational The administrator-initiated MDR
This message is
switchover has completed without
informational.
error. (The secondary <Central
Manager/Manager> will take control
of the <Managers/Sensors>)
MDR - Reset to
standalone invoked
Informational The MDR pair has been reset to
This message is
standalone Managers. This <Central informational.
Manager/Manager> is standalone
and will take control of the
<Managers/Sensors>.
Informational (This <Central Manager/Manager>
will take control of the <Managers/
Sensors>)
The MDR pair has been
reset to standalone
Managers. The peer
<Central Manager/
Manager> is
standalone and will
take control of the
<Managers/Sensors>.
MDR has been canceled
Informational Manager Disaster Recovery has
been cancelled
This message is
informational.
MDR automatic
switchover detected.
(Secondary <Central
Manager/Manager> will
take control of the
<Managers/Sensors>)
Informational An automatic MDR switchover has
completed without error. (The
secondary <Central Manager/
Manager> will take control of the
<Managers/Sensors>.)
This message is
informational.
McAfee Network Security Platform 8.3
Troubleshooting Guide
59
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
MDR manual switchover Informational The administrator has initiated an
in progress. (Secondary
MDR switchover. (The secondary
<Central Manager/
<Central Manager/Manager> will
Manager> will take
take control of the <Managers/
control of the
Sensors>)
<Managers/Sensors>)
This message is
informational.
Successful MDR pair
creation
Informational Manager Disaster Recovery (MDR)
has been successfully configured.
This message is for
user information, no
action required.
Successful MDR
synchronization in
progress
Informational Synchronization from the peer
Manager has been completed
successfully.
This message is for
user information. No
action required.
MDR suspended
Informational Manager Disaster Recovery has
been administratively suspended.
(No switchover will take place while
MDR is suspended.)
This message is
informational.
MDR resumed
Informational Manager Disaster Recovery
functionality has been resumed by
the administrator. Failover
functionality is again available.
This message is
informational.
MDR Device-to-Manager IP
mismatch
Informational The device-to-Manager
communication IP <Manager_ip>
does not match with the peer
Manager IP <peer_Manager_ip>.
Ensure that the
Sensor- Manager
communication IP
matches with the peer
Manager's peer IP in
MDR configuration.
MDR - <Network
Informational The two <Central Manager/
Security Central
Manager>s in an MDR configuration
Manager/Network
must have the same <Network
Security Manager>
Security Central Manager/Network
version mismatch. (Peer
Security Manager> software version
<Central Manager/
installed. The peer <Network
Manager> has newer
Security Central Manager/Network
version)
Security Manager> server software
is more recent than that of the
current <Central Manager/
Manager>.
Ensure both Managers
are running the same
version of the Manager
software.
MDR - Manager type
mismatch
Informational The two Managers in an MDR pair
Ensure both Managers
must be of the same type (Manager are of same Type
versus Central Manager).
(Network Security
Central Manager or
Network Security
Manager).
MDR - <Central
Manager/Manager>
request is not from a
trusted IP address
Informational The <Central Manager/Manager>
request is not from a trusted IP
address.
MDR - system time
synchronization error
Informational The two Managers in an MDR pair
Ensure both Managers
must have the same operating
are in sync with
system time. Ensure both Managers current time.
are in sync with the same time
source. (Otherwise, the device
communication channels will
experience disconnects.)
Ensure the Peer
Manager is not already
in MDR with other
Manager.
Database archival
60
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
Fault
Severity
Description/Cause
Alert archival in
progress
Informational Alerts are currently being archived.
4
Action
Do not attempt to tune
the database or
perform any other
database activity such
as a backup or restore
until the archival
process successfully
completes.
Successful alert archival Informational The alert archival successfully
completed.
This message is for
user information. No
action required.
Database tuning
Database tuning in
progress
Informational The Manager database is currently
being tuned.
The user cannot do the
following operations
during tuning process
(1) Viewing / Modifying
alerts from the Attack
Log page (2)
Generating IDS reports
on alerts (3) Backing
up / Restoration of all
tables OR alert and
packet log tables. (4)
Archiving alerts and
packet logs into files
Database tuning
recommended
Informational Database tuning is recommended.
<no_of_days> days have passed
since the last database tuning.
Shutdown the Manager
and execute the
Database Tuning Utility
at the earliest
Successful database
tuning
Informational The Manager database was tuned
without error.
This message is for
user information. No
action required.
Informational Firewall logging has been enabled,
yet no syslog server is currently
defined/enabled for admin domain
<admin_domain_name>.
This message will
appear until a Syslog
server has been
configured for use in
forwarding ACL logs.
ACL logging
Required syslog
forwarder missing
Update scheduler
Automatic callback
Informational A new callback detector has
detectors deployment in
recently been downloaded from the
progress
GTI Server to the Manager and is
being deployed to the devices.
This message is
informational.
Automatic signature set
deployment in progress
Informational A new signature set has recently
been downloaded from the Update
Server to the Manager and is now
being deployed to the devices.
This message is
informational.
Callback detectors
deployment in progress
Informational A new callback detectors version
has recently been downloaded from
the McAfee update server to the
Manager and is being deployed to
the devices.
This message is
informational.
Connecting to McAfee
update server for
updates
Informational Connecting to McAfee update server This message is
for updates.
informational.
McAfee Network Security Platform 8.3
Troubleshooting Guide
61
4
System fault messages
Manager faults
Fault
Severity
Description/Cause
Action
Failed connection
attempt to McAfee GTI
Server.
Informational Failed to connect to the McAfee GTI
Server.
This message is
informational.
Scheduled signature set Informational A new signature set has recently
deployment in progress
been downloaded from the Update
Server to the Manager and is now
being deployed to the devices, as
scheduled.
This message is
informational.
Scheduled signature set Informational A scheduled signature set update is
download in progress
in the process of downloading from
the McAfee Update Server to the
Manager server
This message is
informational.
Scheduled callback
Informational The scheduled callback detectors
detectors download is in
download from the McAfee update
progress
server to the Manager is in
progress.
This message is
informational.
Successful scheduled
signature set
deployment
Informational A new signature set has recently
been downloaded from the Update
Server to the Manager and
successfully deployed to the
devices, as scheduled.
This message is
informational.
Successful scheduled
signature set download
Informational The scheduled signature set
download from the McAfee Update
Server to the Manager was
successful.
This message is
informational.
Successful scheduled
callback detectors
download
Informational The scheduled callback detectors
download from the McAfee update
server to the Manager was
successful.
This message is
informational.
Successful scheduled
callback detectors
deployment
Informational A new callback detectors version
has recently been downloaded from
the McAfee update server to the
Manager and is being deployed to
the devices.
This message is
informational.
Successful automatic
callback detectors
deployment
Informational A new callback detectors version
has recently been downloaded from
the McAfee Update Server to the
Manager and successfully deployed
to the devices.
This message is
informational.
Successful automatic
signature set
deployment
Informational A new signature set has recently
been downloaded from the Update
Server to the Manager and
successfully deployed to the
devices.
This message is
informational.
Update Scheduler in
progress
Informational This message indicates that the
update scheduler is in progress.
This message is
informational.
Signature download from Update Server to Manager
Signature set
deployment in progress
Informational A signature set is in the process of
This message is
being deployed from the Manager to informational.
the device.
Successful signature set Informational The signature set was successfully
download from Update
downloaded from the McAfee
Server
Update Server to the Manager.
This message is
informational.
Update device configuration
62
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Manager faults
Fault
Severity
Description/Cause
Device configuration
update in progress
Informational The Manager is in the process of
pushing the configuration (and
signature set, as applicable) to the
device.
4
Action
This message is
informational.
Signature set
DAT file import is in
progress
Informational A DAT file is being imported into the This message is for
Manager.
user information. No
action required.
Device software, IPS
signature set, or
callback detectors
import in progress
Informational A device software, IPS signature
set, or callback detectors file is
being imported into the Manager.
This message is
informational.
Device software, IPS
signature set, or
callback detectors
download in progress
Informational A device software, IPS signature
set, or callback detectors file is
being downloaded from the McAfee
Update Server to the Manager.
This message is
informational.
Successful IPS
Informational A signature set is in the process of
This message is
signature set download
being deployed from the Manager to informational.
from the McAfee update
the device
server
Audit logger
Rotating audit logs
Informational The audit log capacity on the
Manager is <value taken from ems
property
iv.policymgmt.RuleEngine.CircularA
uditLogMax> records. After this
number of records is reached, the
Manager will overwrite the oldest
records with the newest records
(i.e. first in, first out). This fault
indicates that <value taken from
ems property
iv.policymgmt.RuleEngine.CircularA
uditLogMax> records have been
written to the audit log and that the
oldest audit log records are now
being overwritten. This fault will be
raised every <value taken from ems
property
iv.policymgmt.RuleEngine.CircularA
uditLogMax> records written. No
action is required. This is an
informational fault.
No action, this is an
indicator to inform that
audit log is
overwritten.
Custom attack
overridden by signature
set
Informational One or more custom attack
definition has been incorporated
into the current signature set and
therefore removed as a custom
attack. Removed custom attacks:
<list of removed custom attacks>
This message is for
user information. No
action required.
Custom attack save in
progress
Informational One or more custom attack
definition is in the process of being
saved to the Manager.
This message is
informational.
Custom attack save
successful
Informational One or more custom attack
definition has been successfully
saved to the Manager.
This message is for
user information. No
action required.
User defined signature
McAfee Network Security Platform 8.3
Troubleshooting Guide
63
4
System fault messages
Sensor faults
Fault
Severity
Description/Cause
Action
Backup Manager
Database backup is in
progress
Informational A manual or scheduled database
backup process is in progress.
Do not attempt to tune
the database or
perform any other
database activity such
as an archive or
restore until the
backup process
successfully completes.
Database backup
successful
Informational The database backup was
successful.
This message is for
user information. No
action required.
Backup scheduler
Scheduled backup failed Informational Unable to create backup for
scheduled database
This fault indicates
problems such as SQL
exceptions, database
connectivity problems,
or out-of-disk space
errors.
Check your backup
configuration settings.
This fault clears when
a successful backup is
made.
Mail server and queue
System startup in
process - alerts being
restored
Informational The Manager is starting up and
restoring alerts from the device
archive file. The Attack Log page may
not show all alerts until the
Manager is fully online.
The Attack Log page may
not show all alerts.
Restarting the
manager is required to
show the restored
alerts in the Attack Log
page.
Sensor faults
The Sensor faults can be classified into critical, error, warning, and informational. The Action column
provides you with troubleshooting tips.
Sensor critical faults
These are the critical faults for a Sensor device.
64
Fault
Severity Description/Cause
Action
BOT DAT file
download failure
Critical
The Manager cannot push the
BOT DAT file to device
<Sensor_name>
Occurs when the Manager
cannot push the BOT DAT file to
the Sensor. Could result from the
network connectivity issue.
Bootloader upgrade
failure
Critical
The firmware upgrade has failed
on the Sensor.
Debug or reload the firmware on
the Sensor.
Conflict in MDR
Status
Critical
Sensor found a conflict with MDR There is a problem with MDR
status; Manager IP address /
configuration. Check your MDR
MDR status as ...
settings.
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Sensor faults
4
Fault
Severity Description/Cause
Action
CRC Errors
Critical
A recoverable CRC error has
occurred within the Sensor.
Reboot the Sensor, which may
then resolve the issue causing
the fault.
Cluster software
mismatch status
Critical
The software versions on the
cluster primary and cluster
secondary are not the same.
Check for errors in software
image download to cluster.
Device re-discovery
failure
Critical
The upload of device
configuration information for
device <Sensor_name> failed
again after being triggered by
the status polling thread. The
device is not properly initialized.
This fault occurs as a second
part to the “device discovery
failure” fault. If the condition of
the Sensor changes such that
the Manager can again
communicate with it, the
Manager again checks to see if
the Sensor discovery was
successful. This fault is issued if
discovery fails, thus the Sensor
is still not properly initialized.
Check to ensure that the Sensor
has the latest software image
compatible with the Manager
software image. If the images
are incompatible, update the
Sensor image via a tftp server.
Device is
unreachable
Critical
SNMP ping failed: Device
<Sensor_name> is unreachable
through its command channel.
Indicates that the device cannot
communicate with the Manager:
the connection between the
device and the Manager is down,
or the device has been
administratively disconnected.
Troubleshoot connectivity issues:
1) check that a connection route
exists between the Manager and
the device; 2) check the
device'’s status using the
<status> command in the device
command line interface, or ping
the device or the device's
gateway to ensure connectivity.
This fault clears when the
Manager detects the device
again.
Device dropping
packets internally
Critical
Device capacity has been
reached.
Device front end is overloaded.
Reduce the amount of traffic
passing through the Sensor as
there is an overload of traffic on
the Sensor.
Device model change Critical
detected
Device <Sensor_name> has
been replaced by a different
model <model_name>, which
does not match the original
model. The alert channel will not
be able to establish a connection.
Make sure you replace the model
with the same Sensor model
(e.g., replace an I-2700 with an
I-2700, not an I-4010).
Device switched to
Critical
Layer 2 bypass mode
Device is now operating in Layer
2 bypass mode. (Inspection has
been disabled.)
The Sensor has experienced
multiple errors, surpassing the
configured Layer2 mode
threshold. Check the Sensor's
status.
McAfee Network Security Platform 8.3
Troubleshooting Guide
65
4
System fault messages
Sensor faults
Fault
Severity Description/Cause
Action
Device reboot
required
Critical
The SSL decryption state or
Reboot the Sensor to cause the
supported flow count on device
SSL change to take effect.
<Sensor_name> has been
changed (new value = <value>).
A device reboot is required to
make the change take effect.
Dropping alerts and
packet logs
Critical
Manager is not communicating
with the database; the alert and
packet logs overflowing queues.
Perform maintenance operations
to clean and tune the database
or disable dropping option.
Fail Open Control
Module Timeout
Critical
Communication has timed out
between the Fail Open Controller
in the Sensor's Compact Flash
port and the Fail Open Bypass
Switch. This situation has caused
the Sensor to move to Bypass
mode and traffic to bypass the
Sensor.
The fault could be the result of a
cable being disconnected, or
removal of the Bypass Switch.
This fault clears automatically
when communication resumes
between the Fail Open Controller
and Fail Open Bypass Switch.
Failed to create
command channel
association
Critical
Command channel association
creation failed for device
<Sensor_name>. The device is
not properly initialized. This error
indicates a failure to create a
secure connection between the
Manager and the device, which
can be caused by loss of time
synchronization between the
Manager and device or that the
device is not completely online
after a reboot.
Restart the Manager and/or
check the Sensor’s operating
status to ensure that the
Sensor’s health and status are
good.
Failed to update the
failover Sensor
configuration
Critical
Monitoring port IP settings are
not configured for the ports that
require it.
Either configure the Monitoring
Port IPs for all the above ports
(or) Disable those features.
For example, monitoring port IP
settings are required for a
monitoring port to export
NetFlow data to NTBA and to
implement require-authentication
Firewall access rules.
Failover peer status
Critical
This fault indicates whether the
Sensor peer is up or down.
This fault clears automatically
when the Sensor peer is up.
Fan error
Critical
One or more of the fans inside
the Sensor have failed.
On the I-4000, you can also
check the Sensor's front panel
LEDs to see which fan has failed.
For the I-4000 and 4010, the
Manager indicates which fan has
failed.
If a fan is not operational,
McAfee strongly recommends
powering down the Sensor and
contacting Technical Support to
schedule a replacement unit.
In the meantime, you can use an
external fan (blowing into the
front of the Sensor) to prevent
the Sensor from overheating
until the replacement is
completed.
66
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Sensor faults
4
Fault
Severity Description/Cause
Action
Fail-open bypass
switch timeout
Critical
The device is not able to
communicate with the fail-open
bypass switch.
Check external FailOpen kit
connections or portpair
configuration to restore Inline
FailOpen mode.
Firewall connectivity
failure
Critical
The connectivity between the
device and the firewall is down.
This fault can occur in situations
where, for example, the firewall
machine is down, or the network
is experiencing problems. Ping
the firewall to see if the firewall
is available. Contact your IT
department to troubleshoot
connectivity issues.
Hardware error
Critical
There is an error in the hardware Debug or replace the hardware
component on the Sensor.
component.
Sensor connectivity
status with GTI
server
Critical
Sensor is unable to communicate Message generated based on
with GTI server. This fault will be Sensor Connectivity with GTI
cleared when connection is
Server.
restored.
Illegal In-line,
fail-open
configuration of
<port_name>.
Critical
The Sensor is configured to
operate with an external
Fail-Open Module hardware
component, but cannot detect
the hardware.
This error applies only to
Sensors running in in-line mode
with a gigabit port in fail-open
mode (using the external Fail
Open Module). When this fault is
triggered, the port will be in
bypass mode and will send
another fault of that nature to
the Manager. When appropriate
configuration is sent to the
Sensor (either the hardware is
discovered or the configuration
changes), and the Sensor begins
to operate in in-line-fail open
mode.
Image downgrade
detected
Critical
Unsupported configuration
upgrade/downgrade, default
configurations are used.
This is an internal error. Check
the Sensor status to see that the
Sensor is online and in good
health.
Internal configuration Critical
error
An internal application
This is an internal error. Check
communication error occurred on the sensor status to see that the
the device during <handling
Sensor is online and in good
signature segments file
health.
SNMP configuration request or
other Sensor internal
communication.
Image downgrade, Please do a
resetconfig.
Unsupported configuration
upgrades, default configurations
are used.
Image downgrade detected.
Please execute <resetconfig> on
the device CLI to complete the
downgrade.
Unsupported BOT DAT
configuration detected after
upgrade/downgrade. The default
configuration will be used.
McAfee Network Security Platform 8.3
Troubleshooting Guide
67
4
68
System fault messages
Sensor faults
Fault
Severity Description/Cause
Action
Interface/
sub-interface
creation failure
Critical
Device <Sensor_name> could
not generate an interface or
sub-interface. See the system
log for details.
This fault generally occurs in
situations where the port in
question is configured
incorrectly. For example, a pair
of ports is configured to be in
different operating modes (1A is
In-line while 1B is in SPAN).
Check the configuration of the
port pair for inconsistencies,
then configure the port pair to
run in the same operating mode.
Invalid fail-open
configuration:
<port_pair_name>
Critical
An invalid configuration has been The Sensor requires appropriate
applied to <port_pair_name>
hardware to support in-line,
fail-open configuration on its
gigabit ports. Ensure that the
hardware is available and that
the correct ports are in-line and
configured to run in this mode.
Invalid SSL
decryption key
Critical
Device has detected invalid SSL
decryption key: <SSL decryption
key>
User may need to re-import the
server SSL decryption key.
Late Collision of
<count Up/Down>
Critical
This fault can indicate a problem
with the setup or configuration of
the 10/100 Ethernet ports or
devices connected to those ports.
It can also indicate a
compatibility issue between the
Sensor and the device to which it
is connected.
Check the speed and duplex
settings on the Sensor ports and
the peer device ports and ensure
that they are the same.
Link failure of Port
<port_name>
Critical
The link between a Monitoring
port on the Sensor and the
device to which it is connected is
down, and communication is
unavailable. The fault indicates
which port is affected.
License expires soon
Critical
Your license is going to expire in
less than 7 days.
Please contact Technical Support
or your local reseller.
Load Balancer
fail-over
configuration
mismatch
Critical
Load Balancer
<Load_Balancer_name> reports
fail-over peer configuration is not
matching.
Verify Load Balancer
configuration. Both Load
Balancers in fail-over pair is
expected to have same
configuration.
McAfee Network Security Platform 8.3
Contact your IT department to
troubleshoot connectivity issues:
check the cabling of the specified
Monitoring port and the device
connected to it; check the speed
and duplex mode of the
connection to the switch or
Users from all three FIPS mode
router to ensure parameters
roles (Audit Administrator, Crypto such as port speed and duplex
Administrator and Security
mode are set correctly; check
Administrator) have logged onto power to the switch or router.
the Manager at the same time.
The link on port <port_name> is This fault clears when
communication is re-established.
<up/down>. The link between
port "<port_name>" and the
device to which it is connected is
down, and communication is
unavailable.
Troubleshooting Guide
System fault messages
Sensor faults
4
Fault
Severity Description/Cause
Action
Load Balancer is
unreachable
Critical
Load balancer device
<load_balancer_name> is
unreachable through its
command channel.
Indicates that the load balancer
cannot communicate with the
Manager: the connection
between the load balancer and
the Manager is down, or the load
balancer has been
administratively disconnected.
Troubleshoot connectivity issues:
1) check that a connection route
exists between the Manager and
the load balancer; 2) check the
load balancer status using the
status command in the load
balancer command line
interface, or ping the load
balancer or the load balancer
gateway to ensure connectivity
to the load balancer. This fault
clears when the Manager detects
the load balancer again.
Malware File Archive
Disk
Usage(Compressed
files)
Critical
The disk usage for archived
Prune/delete unwanted files, or
compressed files has reached the increase the maximum disk
user defined threshold of the
space or both.
maximum allowed. New files of
this type will no longer be saved
to the disk once usage
reaches100%.
Malware File Archive
Disk Usage
(Executables)
Critical
The disk usage for archived
executables has reached the
user-defined threshold of the
maximum allowed. New files of
this type will no longer be saved
to the disk once usage reaches
100%.
Malware File Archive
Disk Usage (Office
Files)
Critical
The disk usage for archived office Prune/delete unwanted files, or
files has reached the
increase the maximum disk
user-defined threshold of the
space or both.
maximum allowed. New files of
this type will no longer be saved
to the disk once usage reaches
100%.
Malware File Archive
Disk Usage (PDFs)
Critical
The disk usage for archived PDFs Prune/delete unwanted files, or
has reached the user-defined
increase the maximum disk
threshold of the maximum
space or both.
allowed. New files of this type
will no longer be saved to the
disk once usage reaches 100%.
Manual Sensor
Reboot Required
Critical
Sensor requires manual reboot
due to an issue. Please reboot
the Sensor.
Please Reboot the Sensor.
Memory error
Critical
A recoverable software memory
error has occurred within the
Sensor.
Reboot the Sensor, which may
then resolve the issue causing
the fault.
McAfee Network Security Platform 8.3
Prune/delete unwanted files, or
increase the maximum disk
space or both.
Troubleshooting Guide
69
4
70
System fault messages
Sensor faults
Fault
Severity Description/Cause
Action
MLC Group Size fault
Critical
Sensor version 8.0 or lower not
supported for this group size.
Fault is raised when the admin
domain user group exceeds
2,000 in an 8.0 or lower
M-series model. The 10,000
admin domain user group is
supported only in the 8.1
Manager for M-series model.
Reduce the number of admin
domain user groups to a value
that is supported by your Sensor.
MPE certificate
download failure
Critical
Cannot push MPE certificate to
device <Sensor_name>. See
system log for details.
Occurs when the Manager
cannot push the MPE Certificate
to a Sensor. Could result from a
network connectivity issue.
NTBA IPS connection
failure
Critical
Device can't communicate to
NTBA over management port on
TCP protocol.
If any of devices are uninstalled,
this problem may exists initially
for a few minutes and should go
away. If the fault still appears,
then check the firewall rules and
connections and connectivity
from IPS Management port to
NTBA management port.
Ondemand scan
Critical
failed because
connection was
refused to FoundScan
engine
This fault can be due to two
reasons- the user has not
specified the Fully Qualified
Domain Name OR the FoundScan
engine is shutdown.
For more information on using
Fully Qualified Domain Name,
see McAfee Network Security
Platform Integration Guide.
Packet capture rules
download
Critical
Cannot push packet capture
Occurs when the Manager
rules to device <Sensor_name>. cannot push the packet capture
See system log for details.
rules to a Sensor. Could result
from a network connectivity
issue.
Packet overflow
Critical
A recoverable software buffer
overflow error has occurred
within the Sensor.
Reboot the Sensor. which may
then resolve the issue causing
the fault
Port late collision
Critical
This fault could indicate a
problem with the setup or
configuration of the 10/100
Ethernet ports or devices
connected to those ports. It
could also indicate a
compatibility issue between the
Sensor and the device to which it
is connected.
The Sensor may be detecting an
issue with another device
located on the same network
link. Check to see if there is a
problem with one of the other
devices on the same link as the
Sensor. This situation could
cause traffic to cease flowing on
the Sensor and may require a
Sensor reboot.
Port pair
<port_name> is
back to In-line,
Fail-Open Mode
Critical
Sensor is back to In-line,
Fail-Open Mode.
This message indicates that the
ports have gone from Bypass
mode back to normal.
McAfee Network Security Platform 8.3
Troubleshooting Guide
4
System fault messages
Sensor faults
Fault
Severity Description/Cause
Action
Port pair
<port_name> is in
Bypass Mode
Critical
This fault indicates that the
indicated GBIC ports are unable
to remain in In-line Mode as
configured. This has caused
fail-open control to initiate and
the Sensor is now operating in
Bypass Mode. Bypass mode
indicates that traffic is flowing
through the Fail Open Bypass
Switch, bypassing the Sensor
completely.
Check the health of the Sensor
and the indicated ports. Check
the connectivity of the Fail Open
Control Cable to ensure that the
Fail Open Control Module can
communicate with the Fail Open
Controller in the Sensor's
Compact Flash port.
Port pair
Critical
<port_pair_name> in
bypass mode
Device <Sensor_name> is
configured to run in-line and to
fail open, but it is in bypass
mode.
This fault indicates that some
failure has occurred, causing the
fail-open control module to
switch operation to Bypass
Mode. No traffic is flowing
through the Sensor.
Port pair
Critical
<port_pair_name> in
in-line, fail-open
mode
Device <Sensor_name> has
returned to in-line, fail-open
mode.
This message indicates that the
ports have gone from Bypass
Mode back to normal.
Port pair
<port_pair_name>
fail-open kit status
Critical
Device <Sensor_name> is
configured to run in-line and to
fail open, but it is in <Bypass,
Tap, Absent, Unknown,
L2Bypass, Timeout,
IllegalConfig,Restore> Mode.
This fault indicates that some
failure has occurred, causing the
fail-open control module to
switch operation to <Bypass,
Tap, Absent, Unknown,
L2Bypass, Timeout,
IllegalConfig,Restore> Mode. No
traffic is flowing through the
Sensor.
Port media type
mismatch
Critical
<Port_name>: Configured media
type is <none/optical/copper/
unknown>. Inserted media type
is <optical/copper/unknown>
Check if pluggable connector
matched user configuration.
Example: Copper SFP inserted in
cage configured for Fiber.
Replace the media according to
the configured value.
Port certification
mismatch
Critical
<Port_name>: McAfee Certified
pluggable interface. McAfee
certification status is <not
matching/matching>.
Check if pluggable interface is
McAfee certified. Replace with
McAfee certified connector or
disable check-box to use non
certified connector
(recommended to use McAfee
certified).
Power supply error
Critical
The <primary/secondary> power
supply to the device <was
inserted/was removed/is
Operational/is non-operational>.
Restore the power supply to
clear this fault.
Check power to the outlet
providing power to the power
supply; if a power interruption is
not the cause, replace the failed
power supply.
Sensor changes to a
different model
Critical
A Sensor was replaced with a
different model type (for
example, an I-1200 was replaced
with an I-1200-FO (failover only)
Sensor). The alert channel will be
unable to make a connection.
When replacing a Sensor, ensure
that you replace it with an
identical model (for example,
replace an I-1200 with an
I-1200, do not attempt to
replace a regular Sensor with a
failover-only model, and
vice-versa).
McAfee Network Security Platform 8.3
Troubleshooting Guide
71
4
System fault messages
Sensor faults
Fault
Severity Description/Cause
Action
Sensor configuration
download failure
Critical
The link between Manager and
Sensor may be down, or you
may need to re-establish the
trust relationship between
Sensor and Manager by resetting
the shared key values.
The Manager cannot push
original Sensor configuration to
Sensor during Sensor
re-initialization, possibly because
the trust relationship is lost
between Manager and Sensor.
This can also occur when a failed
Sensor is replaced with a new
unit, and the new unit is unable
to discover its configuration
information .It happens if the
Sensor's health is bad.
72
<Sensor_name>
configuration update
failure
Critical
The attempt by the Manager to
deploy the configuration to
device <Sensor_name> failed
during device re-initialization.
The device configuration is now
out of sync with the Manager
settings. The device may be
down. See the system log for
details.
The Manager cannot push the
original device configuration
during device re-initialization.
This can also occur when a failed
device is replaced with a new
unit, and the new unit is unable
to discover its configuration
information.
Sensor reboot
required for SSL
decryption
configuration change
Critical
User-configured SSL decryption
settings for a particular Sensor
changed, requiring a Sensor
reboot.
Reboot the Sensor to cause the
changes to take effect.
Signature set error
Critical
The device has detected an error
on signature segment
<segment_id>. The segment
error cause is <unknown
cause>, and the download type
is <init/update/unknown
signature download type>.
Ensure that the Sensor is online
and in good health. The Manager
will make another attempt to
push the file to the Sensor. This
fault will clear with the signature
segments are successfully
pushed to the Sensor.
Solid State Drive
<drive 0> Error
Critical
The solid state drive <drive 0> is Check the respective SSD status,
<drive 1>.
on failure replace the SSD.
Sensor switched to
Layer 2 mode
Critical
The Sensor has moved from
detection mode to Layer 2
(Passthru) mode. This indicates
that the Sensor has experienced
the specified number of errors
within the specified timeframe
and Layer 2 mode has triggered.
The Sensor will remain in Layer
2 mode until it is rebooted.
Sensor switched to
Critical
Layer 2 Bypass mode
Sensor is now operating in
Layer2 Bypass mode. Intrusion
detection/prevention is not
functioning.
The Sensor has experienced
multiple errors, surpassing the
configured Layer2 mode
threshold. Check the Sensor's
status.
Software error
Critical
A recoverable software error has
occurred within the device. A
device reboot may be required.
This error may require a reboot
of the Sensor, which may then
resolve the issue causing the
fault.
SSL decryption key
download failure
Critical
Cannot push SSL decryption keys Occurs when the Manager
to device <Sensor_name>. See
cannot push the SSL decryption
system log for details.
keys to a Sensor. Could result
from a network connectivity
issue.
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Sensor faults
4
Fault
Severity Description/Cause
Action
Temperature status
Critical
Check the Fan LEDs in front of
the chassis to ensure all internal
chassis fans are functioning.
Inlet Temperature value
increased above 50.
This fault will clear when the
temperature returns to its
normal range.
User login via
console after Sensor
initialization
Critical
Sensor reports user
<user_name> login via console
after Sensor initialization. This is
a FIPS 140-2 Level 3 violation.
This message is informational.
Advanced Threat Defense connectivity
Sensor connectivity
Critical
status with Advanced
Threat Defense
device
Sensor is unable to communicate
with Advanced Threat Defense
(ATD) device due to . This fault
will be cleared when connection
is restored.
Message generated based on
Sensor Connectivity with
Advanced Threat Defense (ATD)
device.
CADS connectivity
Sensor connectivity
status with CADS
device
Critical
Sensor is unable to communicate Message generated based on
with CADS device due to
Sensor Connectivity with CADS
<issue>. This fault will be
device.
cleared when connection is
restored.
Device discovered
without license
Critical
Device <Sensor_name>
discovered without license, and
may not detect attacks.
Device discovered
with cluster
secondary license.
Critical
Device <Sensor_name> was
discovered with a cluster
secondary license. This device
not be connected to the Manager
directly.
Device license
expired
Critical
Device license expired. The
device may not detect attacks.
Device support
license expired
Critical
Device support license expired.
The device may not detect
attacks.
Expired device
license
Critical
Device license expired. The
device may not detect attacks.
Expired device
support license
Critical
Device support license expired.
The device may not detect
attacks.
Expired license for
device of type
<device_type>
Critical
The device may not detect
attacks.
Expired support
license for device of
type <device_type>
Critical
The device may not detect
attacks.
Licensing
McAfee Network Security Platform 8.3
To obtain a permanent license
now, kindly contact Technical
Support or your local reseller.
Please contact technical support
or your local reseller to obtain a
License.
Troubleshooting Guide
73
4
System fault messages
Sensor faults
Fault
74
Severity Description/Cause
No valid license
Critical
detected for device of
type <device_type>
The discovered device may not
detect attacks.
Pending support
license expiration for
device of type
<device_type>
Support license for this device
expires in <x> days.
Critical
McAfee Network Security Platform 8.3
Action
Please contact technical support
or your local reseller to renew
the support License.
Troubleshooting Guide
System fault messages
Sensor faults
4
Sensor error faults
These are the error faults for a Sensor device.
Fault
Severity Description/Cause
Action
Alert channel
down
Error
This fault clears when the alert
channel is back up.
The alert channel for device
<Sensor_name> is down. Reason:
<"Channel connection failed reason
unknown",
"Channel is up",
"Sensor unable to sync time with NSM
(error 2)",
"Sensor unable to generate valid
certificate (error 3)",
"Sensor unable to persist Sensor
certificate (error 4)",
"Sensor fail connecting to NSM (error
5)",
"Sensor in untrusted connection mode
(error 6)",
"Sensor install connection failed (error
7)",
"Sensor unable to persist NSM
certificate (error 8)",
"Mutual trust mismatch between
Sensor and NSM (error 9)"
"Error in SNMPv3 key exchange (error
10)",
"Error in initial protocol message
exchange (error 11)",
"Sensor install in progress",
"Opening alert channel in progress",
"Link error. Attempting to reconnect
(error 14)",
"Alert channel reconnect failed (error
15)",
"Closing alert channel in progress",
"Closing alert channel failed (error
17)",
"Send alert warning (error 18)",
"Keep alive warning (error 19)",
"Sensor unable to delete certificate
(error 20)",
"Sensor unable to create SNMP user
(error 21)",
"Sensor unable to change SNMP user
key (error 22)">
McAfee Network Security Platform 8.3
Troubleshooting Guide
75
4
System fault messages
Sensor faults
Fault
Severity Description/Cause
Action
The Manager cannot communicate
with the device via the channel on
which the Manager listens for Sensor
alerts.
76
Device in bad
health
Error
Please check the running status of
device <device_name>. This fault
occurs with any type of device
software failure. (It usually occurs in
conjunction with a software error
fault.)
Game error
Error
Indicates that the engine could not be This fault clears when the engine
initialized or downloaded and also if
could be initialized or
the Dat file could not be downloaded. downloaded and also if the Dat
file can be downloaded.
Internal packet
drop error
Error
Device is dropping packets due to
traffic load.
Reduce the amount of traffic
passing through the Sensor as
this fault indicates overload of
traffic on the Sensor.
MLC Bulk update Error
file size exceeds
limit
Device has a limit for the MLC Bulk
Update file size that it can process. As
this has exceeded, update to the
device <Sensor_name> is aborted.
Check the MLC server configured
in this Manager for the number
of users, groups, and IP user
mappings. Make sure they do
not exceed the limits specified in
the MLC Integration
documentation.
Out-of-range
configuration
Device <Sensor_name> has detected
an out-of-range configuration value.
Contact McAfee Technical
Support for assistance.
Error
McAfee Network Security Platform 8.3
If this fault persists, we
recommend that you perform a
Diagnostic Trace and submit the
trace file to Technical Support for
troubleshooting.
Troubleshooting Guide
System fault messages
Sensor faults
Fault
Severity Description/Cause
Action
Packet log
channel down
Error
This fault clears when the
packetlog channel is back up.
The packet log channel for device
<Sensor_name> is down. Reason:
<Channel is up",
4
Sensor unable to sync time with NSM
(error 2)",
Sensor unable to generate valid
certificate (error 3)"
Sensor unable to persist Sensor
certificate (error 4)"
Sensor fail connecting to NSM (error
5)",
Sensor in untrusted connection mode
(error 6)",
Sensor install connection failed (error
7)",
Senor unable to persist NSM
certificate (error 8)",
Mutual trust mismatch between
Sensor and NSM (error 9)
Error in SNMPv3 key exchange (error
10)",
Error in initial protocol message
exchange (error 11)"
Sensor install in progress",
Opening packet-log channel in
progress",
Link error. Attempting to reconnect
(error 14)",
Packet-log channel reconnect failed
(error 15)",
Closing packet-log channel in
progress",
Closing packet-log channel failed
(error 17)",
Send alert warning (error 18)",
Keep alive warning (error 19)">
The Manager cannot communicate
with the device via the channel on
which the Manager receives packet
logs.
Put peer DoS
profile failure
Error
The Sensor was unable to push a
requested profile to the Manager.
See the ems.log file for details
on why the error is occurring.
The fault will clear when the
Sensor is able to push a valid
DoS profile.
Peer DoS profile
retrieval failure
Error
Peer DoS profile retrieval request
from device <Sensor_name> failed.
No DoS profile for peer
<peer_Sensor_name> is available.
The Manager cannot obtain the
requested profile from the peer
Sensor, nor can it obtain a saved
valid profile. See log for details.
McAfee Network Security Platform 8.3
Troubleshooting Guide
77
4
System fault messages
Sensor faults
Fault
Action
Peer DOS profile retrieval request
from device <Sensor_name> failed
because the profile cannot be pushed
to the device that requested it. See
system log for details.
Check Manager connection to
Network Security Platform.
<Sensor>
Error
discovery failure
<Sensor>, <Sensor_name> failed to
discover configuration information.
The device is not properly initialized.
Typically, the Manager will be
unable to display the Sensor in
this situation, which could
indicate an old software image
on the Sensor. If this fault is
triggered because the Sensor is
temporarily unavailable, the
Manager will clear this fault
when the Sensor is back online.
If the fault persists, check to
ensure that the Sensor has the
latest software image compatible
with the Manager software
image. If the images are
incompatible, update the Sensor
image via a tftp server.
Sensor reports
an out-of-range
configuration
The Manager received a value from
the Sensor that is invalid. The
additional text of the message
contains details.
This fault does not clear
automatically; it must be cleared
manually.
The Manager received a value from
the Sensor that is invalid. The
additional text of the message
contains details.
This fault does not clear
automatically; it must be cleared
manually.
Sensor reports
an out-of-range
configuration
78
Severity Description/Cause
Error
Error
Contact McAfee Technical
Support for assistance.
Contact McAfee Technical
Support for assistance.
Sensor reports
NMS user
privacy key
decrypt failure
Error
NMS user privacy key decryption
failed for user <user_name>.
Please delete NMS user and add
again with valid credential.
Sensor reports
NMS user
authentication
key decrypt
failure
Error
NMS user authentication key
decryption failed for user
<user_name>.
Please delete NMS user and add
again with valid credential.
Sensor
configuration
update failed
Error
The Sensor configuration update
failed to be pushed from the Manager
Server to the Sensor.
Please see ems.log file to isolate
reason for failure.
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Sensor faults
Fault
Severity Description/Cause
Sensor
Error
discovery failure
The Sensor failed to discover its
configuration information, and thus is
not properly initialized. Typically, the
Manager will be unable to display the
Sensor. Could indicate an old Sensor
image on the Sensor.
4
Action
Check the Manager connection
to Network Security Platform.
Check to ensure that the
Network Security Platform has
the latest software image
compatible with the Manager
software image. If the images
are incompatible, update the
The Manager has reached its
limit (<queue_size_limit>)
for
alerts that can be queued for
storage in the database.
(no_of_alerts alerts dropped)
image via a tftp server.
Sensor reports
that the alert
channel is down
Error
This fault indicates that the Sensor is
reporting that the alert channel is
down, but the physical channel is
actually up.
SSL decryption
key invalid
Error
The Manager detects that a particular
SSL decryption key is no longer valid.
The detailed reason why the fault is
occurring is shown in the fault
message. These reasons can range
from the Sensor re-initializing itself
with a different certificate to an
inconsistency between the decryption
key residing on a primary Sensor and
its failover peer Sensor.
Re-import the key (which is
identified within the error
message). The fault will clear
itself when the key is determined
to be valid.
Trust
Establishment
Error – Bad
Shared Secret
Error
Device <Sensor_name> could not be
added to the Manager because the
shared secret it provided does not
match what was defined for it on the
Manager.
Make sure the shared secret
entered on the device CLI
matches the one defined within
the Manager GUI. (Note: The
shared secret is case sensitive.)
McAfee Network Security Platform 8.3
The Sensor will typically recover
on its own. If you are receiving
alerts with packet logs and your
Sensor is otherwise behaving
Channel is up", Sensor unable to sync normally, you can ignore this
message.
time with NSM (error 2)", Sensor
unable to generate valid certificate
Check to see if trust is
(error 3)" Sensor unable to persist
established between the Sensor
Sensor certificate (error 4)" Sensor
and Manager issuing a show
fail connecting to NSM (error 5)",
command in the Sensor CLI.
Sensor in untrusted connection mode
If this fault persists, contact
(error 6)", Sensor install connection
McAfee Technical Support.
failed (error 7)", Sensor unable to
persist NSM certificate (error 8)",
Mutual trust mismatch between
Sensor and NSM (error 9) Error in
SNMPv3 key exchange (error 10)",
Error in initial protocol message
exchange (error 11)" Sensor install in
progress", Opening packet-log
channel in progress", Link error.
Attempting to reconnect (error 14)",
Packet-log channel reconnect failed
(error 15)", Closing packet-log
channel in progress", Closing
packet-log channel failed (error 17)",
Send alert warning (error 18)", Keep
alive warning (error 19)"
Troubleshooting Guide
79
4
System fault messages
Sensor faults
Fault
Severity Description/Cause
Trust
Error
Establishment
Error –
Unknown Device
Device <Sensor_name> could not be
added to the Manager because it has
not been defined on the Manager.
Action
Make sure the device you would
like to add to the Manager has
been defined within the Manager
GUI before trying to add it via
the device CLI. (Note: The
device name is case sensitive.)
Update device configuration
Device
Configuration
update failed
Error
Device configuration update failed to
See the ems.log file to isolate
be pushed from the Manager server to reason for failure.
the Sensor.
Device upload scheduler
Scheduled
callback
detector
deployment
failure
Error
The Manager was unable to perform
Indicates that the Manager was
the scheduled BOT DAT deployment to unable to perform the scheduled
the device <Sensor_name>.
BOT DAT deployment to the
Sensor. This is because of
network connectivity between
the Manager and the Sensor, or
an invalid DAT file. This fault
clears when an update is sent to
the Sensor successfully.
Sensor warning faults
These are the warning faults for a Sensor device.
80
Fault
Severity
Description/Cause
Action
DAT Config is
out of sync
Warning
The DAT Segments Config update to the
device <Sensor_name> failed. The Bot
DAT Config file on the failover pair is out
of sync as a result. (The Manager will
automatically make another attempt to
deploy the BOT DAT Config file).
Ensure that the
Sensor is online
and is in good
health. The
Manager will
make another
attempt to push
the file. The
fault will be
cleared when
the Manager is
successful.
Device
configuration
update is in
progress
Warning
Device configuration update is in
progress.
Device
configuration
update is in
progress.
Device power
up
Warning
The device has completed booting and is
online.
This message is
informational.
Acknowledge or
delete the fault
to clear it.
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Sensor faults
Fault
Severity
Description/Cause
Device
performance <CPU
Utilization,
TCP/UDP Flow
Utilization, Port
Throughput
Utilization,
Sensor
Throughput
Utilization, L2
Error Drop,
L3/L4 Error
Drop>
Warning
Network Security Device Performance
Monitoring <CPU Utilization, TCP/UDP
Flow Utilization, Port Throughput
Utilization, Sensor Throughput Utilization,
L2 Error Drop, L3/L4 Error Drop>
triggered since the <% or empty string>
crossed the threshold value with <fallen/
risen/been> for <metric_value> band on
<Sensor_name>.
Device in high
latency mode
Warning
4
Action
<Sensor_name> has <fallen/risen/been>
to <above/below> <% or empty string>
on <Sensor_name>, which is <above/
below> the configured
<alarm_name_as_configured_by_the_
user> threshold of <threshold_value> <
% or empty string>.
Device high latency mode is currently
<LatencyConflict/
LatencyConflictCleared>. (The device will
attempt to automatically recover from
the high latency condition.)
Device high latency mode and Layer 2
bypass mode are currently
<LatencyConflict/
LatencyConflictCleared>. (the device will
attempt to automatically recover from
the high latency condition.)
The device will
attempt to
automatically
recover from
the high latency
condition.
Device latency
monitoring
configuration is
conflicting with
Layer 2
monitoring
configuration
Warning
Device latency monitoring configuration
requires Layer 2 pass-through monitoring
to be enabled. Disable moving Sensor to
Layer 2 bypass mode on high latency or
enable Layer 2 pass-through monitoring.
Device login
failure
Warning
<Console/SSHD> login failure threshold
of 3 attempts is exceeded for user name
<user_name> from remote IP Address
<remote_ip> on remote port
<remote_port>.
Device packet
capturing
terminated
Warning
Packet capturing has been stopped during Restart Packet
device re-initialization. Please explicitly
Capture if
restart packet capturing, as required.
required.
Device DNS
server
connectivity
status
Warning
DNS server is <Up and Reachable/Down
or Unreachable> from the device.
Physical
configuration
change
Warning
The physical configuration for device <
Sensor_name> has changed. A new
physical configuration has been
discovered.
Occurs when
the Sensor
connects to the
Manager with a
different
physical
configuration.
Pluggable
interface is
absent
Warning
Indicates that the Pluggable interface is
absent.
Indicates if the
pluggable
connector is
absent in the
cage.
McAfee Network Security Platform 8.3
Disable moving
Sensor to Layer
2 bypass mode
on high latency
or enable Layer
2 pass-through
monitoring.
Troubleshooting Guide
81
4
System fault messages
Sensor faults
Fault
Severity
Description/Cause
Action
Pluggable
interface
certification
status
Warning
Indicates if pluggable connector is McAfee Indicates if
certified or not.
pluggable
connector is
McAfee certified
or not.
Sensor
Warning
resetting due to
FIPS mode
change
This message is informational.
SNMP trap
received from
load balancer
Warning
Load balancer <load_balancer_name>
reported trap type
<oid_of_the_mib_object_reported>.
Message
generated
based on SNMP
trap received
from device.
Uninitialized
device
Warning
Device <Sensor_name> is not properly
initialized.
The Sensor may
have just been
rebooted and is
not up yet. Wait
a few minutes
to see if this is
the issue; if
not, check to
ensure that a
signature set is
present on the
Sensor. A
resetconfig
command may
have been
issued, and the
Sensor not yet
been
reconfigured.
Up
Warning
The Sensor has just completed booting
and is on-line.
This message is
informational.
Acknowledge
the fault.
Load balancer
port mode
change for
<port_pair>
Warning
Load balancer <load_balancer_name>
reports operating mode for port
<port_pair> changed to <Fail-open/
Span/Tap/Fail-close>.
Message
generated
based on SNMP
trap received
from load
balancer device.
Load balancer
power up
Warning
Load balancer <load_balancer_name>
has completed booting and is online.
This message is
informational.
Acknowledge or
delete the fault
to clear it.
XC Cluster
Load balancer
Warning
port fail-over
mode change
for <port_pair>
82
McAfee Network Security Platform 8.3
Load balancer <load_balancer_name>
Message
reports port <port_name> fail-over mode generated
changed.
based on SNMP
trap received
from load
balancer device.
Troubleshooting Guide
4
System fault messages
Sensor faults
Fault
Severity
Load balancer
Warning
system fail-over
mode change
Description/Cause
Action
Load balancer <load_balancer_name>
reports fail-over mode change to
<Unknown
Message
generated
based on SNMP
trap received
from load
balancer device.
Hunting for peer
Stand-alone
Primary
Secondary
Peer device software mismatch>
Load balancer
Warning
system fail-over
status change
Load balancer <load_balancer_name>
reports fail-over status change to
<Unknown
Hunting for peer
Stand-alone
Message
generated
based on SNMP
trap received
from load
balancer device.
Primary
Secondary
Peer device software mismatch>
Load balancer
system peer
fail-over status
change
Warning
Load balancer <load_balancer_name>
reports peer fail-over status change to
<Unknown
Hunting for peer
Stand-alone
Message
generated
based on SNMP
trap received
from load
balancer device.
Primary
Secondary
Peer device software mismatch>
Load balancer
Warning
port load
balancing mode
change for
<port_name>
Load balancer <load_balancer_name>
reports port <port_name> load balancing
mode changed to <Good/Bad/Active/
Inactive/Loopback/Rebalance/Spare/
Standby/Standby Failure/Spare Active/
Spare Inactive/Spare Failure>
Message
generated
based on SNMP
trap received
from load
balancer device.
The jumbo frame parsing setting on this
device has been updated and a reboot is
required for the change to take effect.
Please reboot
the device to
effect the
change.
Device IP settings
Device reboot
required
Warning
Vulnerability Manager configuration
Offline device
download in
progress
Warning
Offline device download has been
initiated from the device command line
interface.
Please wait for
offline Sensor
download to
complete.
Successful
offline device
download
Warning
Offline device download has completed
with status <successful/failed>.
Download type=<sigfile/software/
software sigfile combo>,
Time=<timestamp>,
Filename=<downloaded_file_name>
Please see log
messages if
download has
failed, status
code=<
Successful/
Failed>.
Licensing
McAfee Network Security Platform 8.3
Troubleshooting Guide
83
4
System fault messages
Sensor faults
Fault
Severity
Description/Cause
Action
Pending device
license
expiration
Warning
Device license expires in less than <x>
days.
Pending device
support license
expiration
Warning
Device support license expires in less
than <x> days.
Please contact
Technical
Support or your
local reseller.
Pending device
add-on license
expiration
Warning
Device license expires in less than <x>
days.
Pending device
support add-on
license
expiration
Warning
Device license expired in less than <x>
days.
Pending license
expiration for
device of type
<device_type>
Warning
License for this device expires in <x>
days.
Please contact
technical
support or your
local reseller to
renew the
License.
Warning
Cannot disable failover on device
<Sensor_name>. The device is offline.
(The Manager will make another attempt
when the device comes back online.)
Make sure that
the Sensor is
on-line. The
Manager will
make another
attempt to
disable failover
when it detects
that the Sensor
is up. The fault
will clear when
the Manager is
successful.
Callback
Warning
detectors out of
sync
The deployment of callback detectors to
the device <Sensor_name> failed. The
callback detectors on the failover pair
<Sensor_name1> are out of sync as a
result. (The Manager will automatically
make another attempt to deploy them.)
Make sure that
the device is
online and is in
good health.
The Manager
will
automatically
make another
attempt to
deploy the
callback
detectors. The
fault will be
cleared once
the deployment
is complete.
Firewall
connection
status
inconsistent on
failover Sensor
pair
The firewall connection status on the
failover pair <Sensor_peer_name> is
inconsistent. This may cause the firewall
function to be inconsistent for the pair.
Ensure that
both Sensors of
the failover pair
are connected
to the firewall
and that both
Sensors are
online and in
good health.
Device failover
Attempt to
disable failover
failed
84
Warning
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
Sensor faults
Fault
Severity
Signature
Warning
segments out of
sync
4
Description/Cause
Action
An attempt to update the signature set
on both Sensors of a failover pair was
unsuccessful for one of the pair, causing
the signature sets to be out of sync on
the two Sensors.
The Manager
will make
another attempt
to automatically
push the
signature file
down to the
Sensor on
which the
update
operation failed.
Ensure that the
Sensor in
question is
on-line and in
good health.
The fault will
clear when the
Manager is
successful.
If the operation
fails a second
time, a Critical
Signature set
download
failure fault will
be shown as
well.
Both faults will
clear when the
signature set is
successfully
pushed to the
Sensor.
Signature deployment
to device
<Sensor_name>
failed. The signature
segments on failover
pair
<Sensor_peer_name>
are out of sync. (The
Manager will
automatically make
another attempt to
deploy the signature.)
SSL decryption Warning
keys out of sync
McAfee Network Security Platform 8.3
Ensure that the Sensor is online and in
good health. The Manager will make
another attempt to push the file down.
The fault will clear when the Manager is
successful.
SSL decryption keys update to device
<Sensor_name> failed, and the SSL
decryption keys on failover pair
<Sensor_peer_name> are out of sync as
a result. (The Manager will automatically
make another attempt to deploy the new
keys.)
Ensure that the
Sensor is online
and in good
health. The
Manager will
make another
attempt to push
the file down.
The fault will
clear when the
Manager is
successful.
Troubleshooting Guide
85
4
System fault messages
Sensor faults
Fault
Severity
Description/Cause
Action
Temperature
Status
Warning
Inlet Temperature value increased above
44.
Check the Fan
LEDs in front of
the chassis to
ensure all
internal chassis
fans are
functioning.
This fault will
clear when the
temperature
returns to its
normal range.
Signature set
Deprecated
applications
detected in
firewall policies
Warning
The Manager has detected the following
use of deprecated applications in firewall
policies: <Deprecated Application
<app_name> used in Policy
<policy_name>/Rule#<ruleOrderNum>
Deprecated Application <app_name>
used in Rule Element(of type Application
Group) <rule_name>@<policy_name>/
Rule# <ruleOrderNum>>
These
applications
must be
removed from
the firewall
policies.
Sensor informational faults
These are the informational faults for a Sensor device.
86
Fault
Severity
Automatic BOT DAT set
deployment in progress
Informational A new BOT DAT set has recently
This message is for
been downloaded from the GTI
user information. No
Server to the Manager and is being action required.
deployed to the devices.
BOT DAT deployment in
progress
Informational A new BOT DAT file has recently
This message is for
been downloaded from the GTI
user information. No
Server to the Manager and is being action required.
deployed to the devices.
Cluster software
initialization status
Informational Device software has been
initialized.
On initialization failure,
check if cluster
cross-connects are
present as
documented.
Device software or
signature set import in
progress
Informational A device software image or
signature set file is being imported
into the Manager.
This message is for
user information. No
action required.
Device software or
signature set download
in progress
Informational A device software image or
signature set file is being
downloaded from the McAfee
Update Server to the Manager.
This message is for
user information. No
action required.
Port pair <port name>
is back to In-line
Fail-Open Mode
Informational Indicates that the ports have gone
from Bypass Mode back to normal.
This message is for
user information, no
action required.
Resource mismatch
Informational A configured memory or CPU is
lesser than the optimal number
This message is for
user information. No
action required.
McAfee Network Security Platform 8.3
Description/Cause
Action
Troubleshooting Guide
System fault messages
Sensor faults
Fault
Severity
Description/Cause
Sensor configuration
update in progress
Informational A Sensor configuration update is in This message is for
the process of being pushed from
user information. No
the Manager server to the Sensor. action required.
Sensor configuration
update successful
Informational Sensor configuration update
successfully pushed from the
Manager server to the Sensor.
This message is for
user information. No
action required.
Sensor discovery is in
progress
Informational The Manager is attempting to
discover the Sensor.
This message is for
user information. No
action required.
Sensor resetting due to
FIPS mode change
Informational An upgrade or downgrade between This message is
FIPS and non-FIPS software
informational.
images has been detected. This
resets the Sensor configuration
and restores the default login
password.
Sensor software image
download failed
Informational Sensor software image failed to
download from the McAfee Update
Server to the Manager server.
This message is for
user information. No
action required.
Sensor swappable port
module status for group
<G0/G1/G2/G3>
Informational Sensor reports port module
<removed/added> for group
<G0/G1/G2/G3>.
This message
generated based on
user removing or
inserting port module
into Sensor slot.
Sensor reports port module is
removed from slot for group
<G0/G1/G2/G3>.
4
Action
Sensor reports <NULL/QSFP/SFP>
port module inserted into slot for
group <G0/G1/G2/G3>.
Successful automatic
callback detectors
deployment
Informational A new callback detector set has
This message is for
recently been downloaded from the user information, no
GTI Server to the Manager and is
action required.
being deployed to the devices.
User login via console
after Sensor
initialization
Informational Sensor reports user login via
console after Sensor initialization.
This is a FIPS 140-2 Level 3
violation.
This message is
informational.
Informational Device <Sensor_name> was
discovered with a license that will
expire on <date>.
Renew the license
before expire.
Licensing
Device discovered with
license
License detected for
Informational License valid until <date>.
<Sensor_name> of type
Renew the license
before it expires.
Device discovery
The <NTBA Appliance/
Sensor>,
<device_name> The
<NTBA Appliance/
Sensor>,
<device_name>
discovery in progress
Informational The Manager is in the process of
discovering the device.
Wait for the discovery
of the device to
complete.
Informational Device software image is in the
process of downloading from the
McAfee Update Server to the
Manager server.
This message is for
user information. No
action required.
Download software
Device software image
download in progress
McAfee Network Security Platform 8.3
Troubleshooting Guide
87
4
System fault messages
NTBA faults
Fault
Severity
Description/Cause
Action
Device software image
download successful
Informational Device software image successfully This message is for
downloaded from the McAfee
user information. No
Update Server to the Manager
action required.
server.
Update device software
Device software update
is in progress
Informational A Sensor software update is in the
process of being pushed from the
Manager Server to the Sensor.
This message is for
user information. No
action required.
Device software update
successful
Informational Device software update
successfully pushed from the
Manager server to Sensor.
This message is for
user information. No
action required.
Update device configuration
Device configuration
deployment successful
Informational The Manager successfully deployed This message is
the latest configuration to device
informational.
<Sensor_name>. This includes
new IPS signature sets, callback
detectors, and SSL keys, as
applicable.
Signature set
Device software, IPS
signature set, or
callback detectors
import in progress
Informational A device software, IPS signature
set, or callback detectors file is
being imported into the Manager.
This message is
informational.
Device software, IPS
signature set, or
callback detectors
download in progress
Informational A device software, IPS signature
This message is
set, or callback detectors file is
informational.
being downloaded from the McAfee
Update Server to the Manager.
NTBA faults
The NTBA faults can be classified into critical, error, warning, and informational. The Action column
provides you with troubleshooting tips.
NTBA critical faults
These are the critical faults for a NTBA device.
88
Fault
Severity Description/Cause
Action
BOT DAT file
download failure
Critical
The Manager cannot push the
BOT DAT file to device
<Sensor_name>
Occurs when the Manager cannot push
the BOT DAT file to the Sensor. Could
result from the network connectivity
issue.
Endpoint
Intelligence
Service is down
Critical
Endpoint Intelligence Service
has not started as the ePO
server is not reachable.
Please make sure that the ePO server
is up and running and is reachable to
NTBA.
Endpoint Intelligence Service
has not started as the ePO
extension does not support
auto-signing service.
Make sure that the ePO server supports
ePO Auto Signing functionality(Change
on Name confirmation).
Endpoint Intelligence Service
has not started because of
authentication error
connecting to the ePO server.
Please provide valid ePO Server
credentials.
McAfee Network Security Platform 8.3
Troubleshooting Guide
System fault messages
NTBA faults
Fault
Severity Description/Cause
4
Action
Endpoint Intelligence Service
has not started because of
due to internal error from the
ePO server.
ePO server responded error, please
look at the ePO logs.
Endpoint Intelligence Service
has not started because of
unexpected errors.
Please look at the ePO server and NTBA
logs for the error. Please try again.
Endpoint Intelligence Service
Certificate invalid, please retry saving
has not started due to corrupt again.
certificate.
Endpoint Intelligence Service
This port is already in use; please
has not started because of the configure an unused port.
configured port for Endpoint
Intelligence Service is already
in use.
Link failure of
<Appliance
name>
Critical
The link between this port and
the device to which it is
connected is down, and
communication is unavailable.
This is a connectivity issue. Contact
your IT department to troubleshoot
network connectivity. This fault clears
when communication is re-established.
NTBA Public
keydownload
failure
Critical
Cannot push NTBA Public
keyfile to device
<Sensor_name>
Occurs when the Manager cannot push
the NTBA Public key file to the Sensor.
Could result from the network
connectivity issue.
NTBA Appliance
unreachable
Critical
A command channel ping
failed to NTBA Appliance
<Appliance name> failed. The
device is unreachable through
its command channel.
Indicates that the NTBA cannot
communicate with the Manager: the
connection between the NTBA and the
Manager is down, or the NTBA has
been administratively disconnected.
Troubleshoot connectivity issues: 1)
check that a connection route exists
between the Manager and the NTBA; 2)
check the NTBA’s status using the
status command in the NTBA command
line interface, or ping the NTBA or the
NTBA gateway to ensure connectivity
to the NTBA. This fault clears when the
Manager detects the NTBA again.
McAfee Network Security Platform 8.3
Troubleshooting Guide
89
4
System fault messages
NTBA faults
NTBA error faults
These are the error faults for a NTBA device.
Fault
Severity Description/Cause
Action
Device Configuration
update failed
Error
Device configuration update failed to be See the ems.log file to
pushed from the Manager server to the isolate reason for
Sensor.
failure.
Scheduled BOT DAT
file deployment failed
Error
The Manager was unable to perform the Indicates that the
scheduled Bot DAT deployment to the
Manager was unable to
device <Sensor_name>.
perform the scheduled
Bot DAT deployment to
the Sensor. This is
because of network
connectivity between
the Manager and the
Sensor, or an invalid
DAT file. This fault clears
when an update is sent
to the Sensor
successfully.
Error
<GAME Error>
Please re-check the
NTBA GAME
configuration.
Error
Sigfile parsing failed.";
Please retry the NTBA
configuration update.
GAME configuration
NTBA <GAME Error>
System related
NTBA Configuration
Update Error
Sigfile parsing failed in zone segment.";
Sigfile parsing failed in communication
rules segment.";
Sigfile parsing failed in service
segment.";
Sigfile parsing failed in anomaly
segment.";
Sigfile parsing failed in reconnaissance
segment.";
Sigfile parsing failed in FFT segment.";
Sigfile parsing failed in NBA segment.";
Sigfile parsing failed in worm
segment.";
Sigfile parsing failed in policy
segment.";
Sigfile parsing failed in pre-processing
segment.";
Sigfile parsing failed in application
profile segment.";
Sigfile parsing error.";
NTBA Sigset Mismatch
Error
90
Error
McAfee Network Security Platform 8.3
There has been a mismatch between
the NTBA version <tba_sw_version>
and the sigset version
<sigset_version>. NSM will now try to
automatically push the appropriate
matching sigset.
Please check for the
status of the follow-up
NTBA configuration
update.
Troubleshooting Guide
System fault messages
NTBA faults
Fault
Severity Description/Cause
Action
NTBA Zone
Configuration Event
Error
Invalid interface or zone configuration.
All the zones configured are <Outside/
Inside>. <Netflow processing will not
work till this configuration is fixed. GTI
reputation is not retrieved for internal
hosts>.
Please verify the zone
configuration in NTBA.
<Storage Server Error
Please re-check the
Storage Service
Configuration.
4
Storage server
NTBA <Storage Server Error
Error
Storage Server Not
Reachable
Storage Server Not Reachable
Storage Server Permission Denied
Storage Server
Permission Denied
Storage Server Limit Reached 50%
Storage Server Limit
Reached 50%
Backup Storage File Corrupted
Storage Server Limit Reached 75%
Storage Server Limit Exhausted>
Storage Server Limit
Reached 75%
Backup Storage File
Corrupted
Storage Server Limit
Exhausted>
TrustedSource
NTBA <TrustedSource
Error>
Error
<TrustedSource Error>
Please re-check the
TrustedSource
configuration.
NTBA warning faults
These are the warning faults for a NTBA device.
Fault
Severity Description/Cause
Action
DAT Config is
out of sync
Warning
The DAT Segments Config update to
the device <Sensor_name> failed. The
Bot DAT Config file on the failover pair
is out of sync as a result. (The Manager
will automatically make another
attempt to deploy the BOT DAT Config
file).
Ensure that the Sensor is
online and is in good health.
The Manager will make another
attempt to push the file. The
fault will be cleared when the
Manager is successful.
This Release of
NSM supports
only one
instance of
NTBA vm.
Warning
The NTBA <NTBA_Appliance_name> is
not discovered because of exceeding
the max of supported instances of
NTBA virtual machines.
Please delete the device from
ism GUI
Uninitialized
device
Warning
Device <Sensor_name> is not properly The Sensor may have just been
initialized.
rebooted and is not up yet.
Wait a few minutes to see if
this is the issue; if not, check
to ensure that a signature set
is present on the Sensor. A
resetconfig command may
have been issued, and the
Sensor not yet been
reconfigured.
McAfee Network Security Platform 8.3
Troubleshooting Guide
91
4
System fault messages
NTBA faults
NTBA informational faults
These are the informational faults for a NTBA device.
Fault
92
Severity
Description/Cause
Action
Automatic BOT DAT set Informational A new BOT DAT set has recently been
deployment in
downloaded from the GTI Server to
progress
the Manager and is being deployed to
the devices.
This message is for
user information. No
action required.
BOT DAT deployment
in progress
Informational A new BOT DAT file has recently been
downloaded from the GTI Server to
the Manager and is being deployed to
the devices.
This message is for
user information. No
action required.
Interface change
Informational During startup , the NTBA identifies
changes(addition or removal) in the
interface count.
This message is for
user information. No
action required.
NTBA database
pruning
Informational Current database usage:
<percentage_value>%
NTBA Database
Pruning threshold
notification.
Successful automatic
BOT DAT set
deployment
Informational A new BOT DAT set has recently been
downloaded from the GTI Server to
the Manager and is being deployed to
the devices.
This message is for
user information, no
action required.
Successful scheduled
BOT DAT set
deployment
Informational A new BOT DAT file has recently been
downloaded from the GTI Server to
the Manager and is being deployed to
the devices.
This message is for
user information, no
action required.
The <NTBA Appliance/
Sensor>,
<device_name> The
<NTBA Appliance/
Sensor>,
<device_name>
discovery in progress
Informational The Manager is in the process of
discovering the device.
Wait for the
discovery of the
device to complete.
McAfee Network Security Platform 8.3
Troubleshooting Guide
5
Error messages
This section lists the error messages displayed in McAfee Network Security Manager (Manager).
Contents
Error messages for RADIUS servers
Error messages for LDAP server
Error messages for RADIUS servers
The table lists the error messages displayed in the Manager.
Error Name
Description/Cause
Action
RADIUS Connection Successful
RADIUS server is up and
running
RADIUS server is up and
running
RADIUS Connection Failed
Network failure, congestion at
servers or RADIUS server not
available
Try after sometime, check IP
address and Shared Secret key
No RADIUS server configured
No server available
Configure at least one RADIUS
server
Server with IP address and port
already exists for RADIUS server
IP address and port connection
not unique
Use a different IP address and
port number
RADIUS server host IP address/
host name is required
Field cannot be blank
Enter a valid host name /IP
address
Shared Secret key is unique in
case of RADIUS server
Field cannot be blank
Enter a valid host name /IP
address
RADIUS server host IP address/
host name cannot be resolved as
entered
Invalid host name /IP address
Enter a valid host name /IP
address
The table lists the error messages displayed in the User Activity Audit report.
Error Name
Description/Cause
Error Type
RADIUS Authentication User <user name> with login Id <login Id> failed to
authenticate to RADIUS server <RADIUS server host name /IP
address> on port <port number> due to server timeout/
network failure
User
Add Radius Server
Manager
McAfee Network Security Platform 8.3
Added RADIUS server IP Address/Host <IP address or host
name>, port <port number> enable <Yes/No>
Troubleshooting Guide
93
5
Error messages
Error messages for LDAP server
Error Name
Description/Cause
Error Type
Edit RADIUS server
IP Address/Host <IP address or host name> set port <port
number>,set Enabled <Yes/No>
Manager
Delete RADIUS server
Deleted RADIUS Server IP Address/Host <IP address or host
name>, port <port number>
Manager
Error messages for LDAP server
The table lists the error messages displayed in the Manager.
Error Name
Description/Cause
Action
Server with IP address and port
already exists for LDAP server
IP address and port connection
not unique
Use a different IP address and
port number
LDAP server host IP address/host Field cannot be blank
name is required
Enter a valid host name /IP
address
LDAP server host IP address/host Invalid host name /IP address
name cannot be resolved as
entered
Enter a valid host name /IP
address
LDAP Connection Successful
LDAP server is up and running
LDAP server is up and running
LDAP Connection Failed
Network failure, congestion at
servers or LDAP server not
available
Try after sometime, check IP
address
No LDAP server configured
No server available
Configure at least one LDAP
server
The table lists the error messages displayed in the User Activity Audit report.
Error Name
94
Description/Cause
Error Type
LDAP Authentication User <user name> with login Id <login Id> failed to authenticate
to LDAP server <LDAP server host name /IP address> on port
<port number> due to server timeout/ network failure.
User
Add LDAP server
Added LDAP server IP Address/Host <IP address or host name>,
port <port number>, enable <Yes/No>
Manager
Edit LDAP server
IP Address/Host <IP address or host name> set port <port
number>,set Enabled <Yes/No>
Manager
Delete LDAP server
Deleted LDAP Server IP Address/Host <IP address or host name",
port<port number>
Manager
McAfee Network Security Platform 8.3
Troubleshooting Guide
6
Troubleshooting scenarios
Contents
Network outage due to unresolved ARP traffic
Delay in alerts between the Sensor and Manager
Sensor-Manager Connectivity Issues
Wrong country name in IPS alerts
Wrong country name in ACL alerts
Network outage due to unresolved ARP traffic
Scenario
Sudden outage in the network due to unresolved ARP traffic.
Applicable to Sensor models: M-series, NS-series
Sensor software version: 7.1, 7.5, 8.1
Problem type to be solved
Resolve the ARP traffic which is dropped by the Sensor due to heuristic web application server
protection configuration setting.
Data/Information Collection
1
Check if the attack ARP MAC Address Flip-Flop is disabled from the policy.
Go to Policy | Intrusion Prevention | Policy Types | IPS Policies. Click on Default Prevention listed in IPS Policies
name column.
Check the policy on the entire device interfaces and make sure ARP flip flop alert is either disabled
or not included in the policy on the entire device interfaces.
McAfee Network Security Platform 8.3
Troubleshooting Guide
95
6
Troubleshooting scenarios
Delay in alerts between the Sensor and Manager
2
Check if the Heuristic Web Application Server Protection is enabled.
Go to Policy | Intrusion Prevention | Policy Types | Inspection Options Policies. Click on <Policy Name> listed in
Inspection Options Policies.
Check each interface of the device individually.
3
Check if ARP spoofing is enabled on the Sensor. Use the command show arp spoof status.
Explanation
When heuristic web application server protection is enabled, the Manager caching is disabled and only
selected attacks are pushed to the Sensor. If the MAC Flip-Flop attack is not part of the attacks chosen
by the user, the Sensor drops the ARP packets. This happens in scenarios such as:
•
Assignment of dynamic MAC address in the network (vmac)
•
For the firewall in failover mode which uses the Virtual MAC address, the IP address remains the
same but the MAC address will change
Troubleshooting Steps
1
Disable ARP spoofing on the Sensor. Use the command arp spoof to disable ARP spoofing.
2
Disable Heuristic Web Application Server Protection on the device’s individual interfaces.
If the problem still persists, contact McAfee Support for further assistance.
Delay in alerts between the Sensor and Manager
Scenario
Delay in receiving the Sensor alerts on the Manager.
Applicable to Sensor models: M-series, NS-series
Sensor software versions: 7.1, 7.5, 8.0, 8.1
96
McAfee Network Security Platform 8.3
Troubleshooting Guide
6
Troubleshooting scenarios
Delay in alerts between the Sensor and Manager
Problem type to be solved
•
Delay in the Sensor alerts being sent to the Manager
•
Sensor alerts are not seen in real time on the Manager
•
Time lag in sending the Sensor alerts to the Manager
Data/Information Collection
1
Execute the following commands on the Sensor :
•
status (execute 5 times in 10 seconds duration)
•
show sensor-load (execute 5 times in 10 seconds duration)
•
getccstats (execute 5 times in 10 seconds duration)
Also execute the same commands on a similar model Sensor, which does not have the issue.
2
Collect graphs for Sensor throughput utilization and port utilization.
3
Collect the attack csv file for this Sensor from the Attack Log page.
4
Collect the alert archival for the last 24 hour time duration.
5
Retrieve the configuration backup of the Manager.
6
Create/collect the network diagram that clearly indicates where the Sensor and the Manager are
located.
Troubleshooting steps
1
Check if there are any network connectivity issues or any delay in the network. If there is a delay
in the network between the Sensor and the Manager, it can lead to low alert rates.
2
Verify that the entire link between the Sensor management port and the Manager is 1G auto, and
they are using the correct CAT6 cables.
3
Check if the other Sensors connected to the same the Manager are also facing this issue. If yes
then it is a Manager issue.
4
Check the Sensor policy being used. If the Default Testing or Default Exclude Informational is used, the
Sensor processes more alerts and hence alert generation rate increases. Switching to Default
Prevention policy can help resolve the delay issue sometimes.
5
Check if there are any saved alerts/packetlogs on the Sensor.
Command: show savedalertinfo
6
Check if there is any specific category of alerts, which is delayed or all the alerts are delayed. Also
check if the system events that are being raised, are also delayed.
7
Check if the alerts are seen in the Attack Log page as the alerts are restored here from the database.
This check will confirm if the issue is on the database or cache. Check the database size and if it is
very high, purge and tune the database.
8
Check the time on the Sensor and if it matches with the Manager system time. If there is any issue
with the time stamp, the Manager may show the wrong timestamp in the Attack Log page, which can
incorrectly appear as alerts being delayed.
9
Check the rate of alert generated/detected by the Sensor using the following command:
McAfee Network Security Platform 8.3
Troubleshooting Guide
97
6
Troubleshooting scenarios
Delay in alerts between the Sensor and Manager
getccstats:
•
To check the status of control/alert channel (to the Manager)
•
To check the alert suppression/throttling configuration status and suppression intervals
•
To check the sensor failover action (1 = Enabled, 2 = Disabled) and failover status (1 = Active,
2 = Standby, 3 = Init/Not Applicable), failover peer status (1 = Up, 2 = Down, 3 =
Incompatible, 4 = Compatible, 5 = Init/Not Applicable), fail-open status (1 = Enabled, 2 =
Disabled)
•
To check the count of detected alerts (signature-based, scan/recon, DoS) sent to management
port and peer Manager (in case of MDR)
•
To check the count of throttled alerts
•
To check the count of alerts sent to and received from Correlation Engine, alert correlation
counts
•
To check the count of alerts in ring buffer, queued to be sent to the Manager
•
To check ACL alerts’ throttling configuration status (throttling interval and threshold)
•
To check the count of throttled ACL alerts (IPS)
•
To check the Sensor reboot count and/or alert wrap count
The following statistics indicate many alerts still pending in ring buffer:
AlertsInRngBufPriCount = 83621
AlertsInRngBufSecCount = 83606
PutAlertInRngBufErrCount = 6499317
The alert rate could be really high that the Manager may not be able to handle. It then introduces a
delay that is similar to backoff (with the delay reaching a max of 30 seconds per alert) and this
causes the alerts to be queued up in Ring Buffer. Once this condition is reached, the alerts delay
will increase with time. To recover, check the type of attacks and then try to create an exception
rule to filter the attack, and see if the Manager recovers.
98
McAfee Network Security Platform 8.3
Troubleshooting Guide
Troubleshooting scenarios
Delay in alerts between the Sensor and Manager
6
10 Take the packet captures at the Sensor and the Manager side to identify whether the issue is at the
Sensor/Manager side or network side.
On the Manager, use Wireshark or equivalent to take packet captures on the Manager port 8502.
Sample packet capture on the Sensor:
Sample packet capture on the Manager:
Using packet captures from the Sensor and the Manager, which are taken simultaneously, you can
identify if there is a delay in the Sensor sending the alert to the Manager or there is a delay in the
Manager sending the alert acknowledgment to the Sensor or is it both (pointing to a network
issue).
11 Check if Layer 7 Data Collection is enabled on the Sensor. There is a known issue when Layer 7
Data Collection is enabled, where the alerts in the Attack Log page are no longer received in real
time.
IntruDbg#> show l7dcap-usage
Layer-7 Dcap Buffers Allocated at Init 16000
Layer-7 Dcap Buffers Available now 16000
Layer-7 Dcap Buffers Alloc Errors 0
Layer-7 Dcap Alert Buffers Allocated 40960
Layer-7 Dcap Alert Buffers Available 40960
Layer-7 Dcap Alert Buffers Allocate Error 0
Layer-7 Dcap Regular Alert's Sent 0
Layer-7 Dcap Special Alert's sent 0
Layer-7 Dcap Context End Alert's Sent 0
Layer-7 Dcap CB InActive when DCAP Called 0
Layer-7 Dcap Ring Buffer Errors 0
Alert Ring Buffer Full Cnt 0
Num Alerts Dropped at Sensors 0
Layer-7 Dcap Fifo Check Seen 0
McAfee Network Security Platform 8.3
Troubleshooting Guide
99
6
Troubleshooting scenarios
Sensor-Manager Connectivity Issues
12 On the Manager database, use SQL queries output to check the frequency of alerts going to the
Manager. This can be done by logging into MySQL on the Manager server and executing the
following command:
a
Get Sensor ID from database:
select sensor_id, name from iv_sensor;
b
Input the time range for which the alert generation rate needs to be checked:
SELECT "2014-05-29 18:39:47", "2014-05-30 18:39:47" INTO @stdate, @enddate;
c
Total Attacks for Sensor ID and the time range:
SELECT sensorid,COUNT(*) atcount FROM iv_alert WHERE creationtime BETWEEN @stdate
AND @enddate GROUP BY sensorid ORDER BY atcount;
d
Total packetlog for Sensor ID and time range:
SELECT sensorid,COUNT(*) pktcount FROM iv_packetlog WHERE (creationtime BETWEEN
@stdate AND @enddate) AND sensorid=<id of problematic sensor> GROUP BY sensorid
ORDER BY pktcount;
If the problem still persists, contact McAfee Support for further assistance.
Sensor-Manager Connectivity Issues
Scenario
Connectivity issues between the Sensor and Manager.
Applicable to Sensor models: M-series, NS-series
Sensor software versions: 7.1, 7.5, 8.1
Problems type to be solved
Sensor is not detected on the Manager.
Trust establishment does not happen between the Sensor and Manager.
Data/Information Collection
1
100
Execute the following commands on the Sensor:
•
status
•
show
•
show sbcfg
•
show mgmtcfg
•
show doscfg
•
show mgmtport
•
getccstats
•
show netstat
•
checkmanagerconnectivity (applicable only to Sensor software 8.1 and above)
McAfee Network Security Platform 8.3
Troubleshooting Guide
6
Troubleshooting scenarios
Sensor-Manager Connectivity Issues
2
Collect the Manager infocollector logs. If possible, enable detailed debugging messages by
modifying <Manager_INSTALL_DIR>/config/log4j_ism.xmlfile, by adding/changing the following
lines:
<category name="iv.core.DiscoveryService"> <priority value="DEBUG"/></category>
<category name="iv.core.SensorConfiguration"> <priority value="DEBUG"/></category>
3
Collect the Sensor trace files.
4
Collect packet capture at the Manager (for the problematic Sensor).
5
Network diagram clearly mentioning where the Sensor and Manager are located.
Troubleshooting Steps
1
Check if there is any network connectivity issue such as conflicting IP address of the Sensor. This
can result in alert/pktlog channel flaps.
2
Verify that the Management Interface speed and duplex settings are configured correctly on the
Manager and Sensor and that they are hard-coded. If this fails, change one link to auto and change
the other side's duplex and speed settings until communications are established or combinations
are exhausted.
3
Ping from the Sensor to Manager and Manager to Sensor, and make sure the ping goes fine.
4
Check if the other Sensors connected to the same Manager are also facing this issue.
If yes, then it is a Manager issue.
5
Check the IP address of the system on which the Manager is installed. Make sure the correct IP
address is provided in the Sensor command set manager ip.
6
Try a deinstall and establish the trust again with the Manager.
7
Check if the Manager machine has multiple NIC cards. If yes then open below file:
<Manager_INSTALL_DIR>/bin/tms.bat
Modify the following line to assign the relevant IP address that is also used in the Sensor
configuration: set JAVA_OPTS=%JAVA_OPTS% -Dlumos.fixedManagerSNMPIPaddress=""restart
Manager
8
Check the Sensor name, which is given on the Manager while adding the Sensor using the Add New
Device wizard. Sensor name is case sensitive so make sure it exactly matches the one given on the
Manager.
9
Check that the device type is selected as IPS Sensor while adding the Sensor using Add New Device.
Selecting incorrect device type can also lead to connectivity issues.
10 Make sure that firewall is not blocking traffic between the Manager and Sensor for the following
ports :
Manager:4167 -> Sensor:8500 (UDP)
Sensor:Any -> Manager:8501-8504,8510 (TCP) for 1024-bit trusts
Sensor:Any -> Manager:8504,8506-8509 (TCP) for 2048-bit trusts
11 If using the malware policy, check if the file save option is enabled. Make sure firewall is not
blocking ports 8509 and 8510, which are used for saving malware files.
12 Check that UDP port 8500 is open and allows the Manager to Sensor SNMP communication.
McAfee Network Security Platform 8.3
Troubleshooting Guide
101
6
Troubleshooting scenarios
Wrong country name in IPS alerts
13 Use the netstat -na command to verify that ports 8501 - 8505 are listening on the Manager. Click
Start | Run type cmd, press ENTER, then type netstat -na.
14 Make sure large UDP and/or fragmented UDP packets are not dropped between the Sensor and
Manager communication. This can lead to SNMP timeout. Look for the following logs in ems.log:
Ems log
******
014-06-27 15:47:29,150 INFO [Thread-135] iv.core.SensorConfiguration - M1450
Experience a SNMP error during set/get, Change the STATUS to DISCCONECTED
2014-06-27 15:47:29,163 ERROR [Thread-135] iv.core.SensorConfiguration - Fail to
process SNMP return node:
com.intruvert.ext.sensorconfig.leap.SensorConfigException: Time Out
15 Capture UDP traffic using Wireshark on the Manager. Check if the Manager is receiving UDP
response packets from the Sensor.
Sample capture on the Manager:
16 Check the time on the Sensor, and if it matches with the Manager system time.
17 Check if there are any Out Of Memory related logs in the Manager. This can lead to connectivity issues
between the Sensor and Manager.
18 Check if the Manager is an MDR pair. If yes, then verify that the IP of primary Manager in the
sensor matches the IP of the active Manager. Also check if the Sensor is treating the standby
Manager as the primary Manager or not. This may lead to connectivity issues.
If the problem still persists, contact McAfee Support for further assistance.
Wrong country name in IPS alerts
Scenario
To find the root cause of cases for IPS alerts in the Attack Log page that shows wrong country name for
Attacker and Target.
Applicable to Sensor models: M-series, NS-series
Sensor software versions: 7.1, 7.5, 8.1 and 8.2
Problems type to be solved
The Attack Log page displays wrong country name for source or destination IP address for an IPS alert.
102
McAfee Network Security Platform 8.3
Troubleshooting Guide
6
Troubleshooting scenarios
Wrong country name in IPS alerts
Troubleshooting Steps
1
Check for IP address in maxmind.com to find the geographic location for a particular IP address.
If the IP address does not match the geographic location, then it is an issue with the Manager or
the geographic database in the cloud.
2
Login to the Sensor with “admin” ID, and then in the Sensor CLI, type the debug command and
then enter the following command:
set loglevel mgmt (all | <0-12>) <0-15>
To disable logging, execute set loglevel mgmt 0 0.
ug 28 06:36:16 localhost tL: DBG2 ctrlch|postAlertDataToSyslogViewer: syslog msg
len 174, data <36>Aug 28 06:36:16 GMT mil-ips-01 AlertLog: mil-ips-01 detected
Outbound attack HTTP: IIS3 ASP dot2e (severity = Medium). 1.2.0.2:43058 ->
1.2.0.4:80 (result = Inconclusive)
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|alertTransmittedCountUpdate: IN
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|alertTransmittedCountUpdate: msgId is
(335)
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|alertTransmittedCountUpdate: EXIT
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|CCout(0) processCtrlChanAlerts Id:335
(baseId:83886415)
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| -out-BEGIN Mobile SIGNATURE(335),
size(565)
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Attack Id = 4202651
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Syslog Attack Id = 1438464
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Time Stamp = 1409207775
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Alert Count = 1
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| VIDS Id = 2030
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Syslog VIDS Id = 4
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| VLAN Id = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Alert Duration = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Log ID = 6052501239499929418
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Slot Id = 2
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Port Id = 25
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Protocol Id = 16
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Qualifier 1 = 1
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Qualifier 2 = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Src IP = 0x1020002
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Dstn IP = 0x1020004
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Request LastByte Offset = ffffffff
McAfee Network Security Platform 8.3
Troubleshooting Guide
103
6
Troubleshooting scenarios
Wrong country name in IPS alerts
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Response LastByte Offset = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Attack Pkt Search Num = 1
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| SrcPort = 43058
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| DstnPort = 80
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Protocol = 6
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Signature Id = 226
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| PP State = 14
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Prev Stream Flag = 1
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Frag Flag = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Corr Flag = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| Inside = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| SuppressedSigId Bits = 1
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| inline Drop = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| ReCfg Firewall = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| flags = 40
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| mpeFlags = 8
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| appId = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| normalize reputation = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| normalize geoLocation = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| xff ip direction= 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| mobileFlags = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Src deviceInfo = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Src confLevel = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Src osInfo = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Src detectSrcType = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Dst deviceInfo = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Dst confLevel = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Dst osInfo = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|devProf Dst detectSrcType = 0
Aug 28 06:36:16 localhost tL: DBG0 ctrlch| -------------------Aug 28 06:36:16 localhost tL: DBG0 ctrlch|64-bit Uid = a a0 50 8 be 8a d3 57.
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|id: 335, msgType: 1
104
McAfee Network Security Platform 8.3
Troubleshooting Guide
6
Troubleshooting scenarios
Wrong country name in ACL alerts
Aug 28 06:36:16 localhost tL: DBG0 ctrlch|processSigAlertMsg - reCfgFw mask = 0x0
Here geographic ID of 0 means that the Sensor does not send any geographic information for the
corresponding source or destination IP addresses.
3
Execute step 2 and wait for the IPS alert to be raised again.
This time the Sensor prints the country code sent from Sensor for the corresponding IPS alert.
If the Sensor sends the geographic location ID as 0, then it’s an issue with the geographic database
cloud when the Manager sends a geographic based query to find the geographic location matching
an IP address. Typically for an IPS alert, the Sensor does not send any geographic location ID
value.
If the problem still persists, contact McAfee Support for further assistance.
When a wrong country name is displayed for the source or destination IP address for an IPS alert,
then it is an issue with the Manager.
Wrong country name in ACL alerts
Scenario
Wrong country name appears in ACL alerts/ACL logs.
Applicable to Sensor models: M-series
Sensor software version: 7.1, 7.5, 8.1, 8.2
Problem type to be solved
Wrong country name is displayed in the ACL alerts/ACL logs when forwarded to third party software
either from the Sensor or from the Manager.
Data/Information Collection
Execute show acl stats in the Sensor CLI.
Troubleshooting Steps
Execute the show acl stats command in the Sensor CLI to fetch the following data from the
management process:
•
Number of ACL alerts sent by the datapath processor to the management processor
•
Number of ACL alerts sent from the management processor to the Manager or third party software
tool.
If there is difference between the received and sent/sent directly count by a large value but within
10,000, then the buffer to keep the ACL alerts at management processor is full. This might potentially
be the cause for the issue.
[email protected]> show acl stats
[Acl Alerts]
Received : 0
Suppressed : 0
McAfee Network Security Platform 8.3
Troubleshooting Guide
105
6
Troubleshooting scenarios
Wrong country name in ACL alerts
Sent : 0
Sent Direct : 0
Stateless ACL Fwd count : 0
The buffer kept for receiving the ACL alerts from datapath processor is full, and is not flushed in an
event like ACL alert suppression disabled/enabled. In this type of scenario, if the ACL alert buffer is
not flushed, then the country name for the old ACL alert is mixed with the new ACL alert, which
results in the wrong country name in the ACL logs.
If the country name is displayed wrong in the ACL alert, for either source IP address or destination IP
address, then there is an issue with the Sensor. If you are not able to solve the problem even after
repeating the steps explained in troubleshooting, or the problem is not understood, contact McAfee
Support for further assistance.
106
McAfee Network Security Platform 8.3
Troubleshooting Guide
7
Using the InfoCollector tool
This section describes the following aspects of using the Infocollector tool.
Contents
Introduction
How to run the InfoCollector tool
Using InfoCollector tool
Introduction
InfoCollector is an information collection tool, bundled with Manager that allows you to easily provide
McAfee with McAfee® Network Security Platform-related log information. McAfee can use this
information to investigate and diagnose issues you may be experiencing with the Manager.
InfoCollector can collect information from the following sources within McAfee Network Security
Platform:
Information Type
Description
Ems.log Files
Configurable logs containing information from various components of the
Manager. The current ems.log file is renamed when its size reaches 1MB, using
the current timestamp. Another ems.log is created to collect the latest log
information.
Configuration backup A collection of database information containing all Network Security Platform
configuration information.
Configuration files
XML and property files within the Network Security Platform config directory.
Fault log
A table in the Network Security Platform database that contains generated
fault log messages.
Sensor Trace
A file containing various McAfee® Network Security Sensor(Sensor)-related log
files.
Compiled Signature
A file containing signature information and policy configuration for a given
Sensor.
InfoCollector is a tool that can be used both by you and by McAfee.
McAfee systems engineers can use the InfoCollector tool to provide you with a definition (.def) file via
email. This file is configured by McAfee to automatically choose information that McAfee needs from
your installation of Network Security Platform. You simply open the definition file within the
InfoCollector and it will automatically select the information that McAfee needs from your installation
of the Manager.
McAfee Network Security Platform 8.3
Troubleshooting Guide
107
7
Using the InfoCollector tool
How to run the InfoCollector tool
Alternatively, a manual approach can also be used with InfoCollector, and you can select information
yourself to provide to McAfee. For example, McAfee may ask you to select checkboxes that correspond
to different sets of information available within Network Security Platform.
How to run the InfoCollector tool
To run InfoCollector, follow the following steps:
1
If you do not already have InfoCollector installed, download the InfoCollector.zip file from the
McAfee website and extract it to a specific location in a specific drive:
Example
C:\[Network Security Manager_INSTALL_DIR]\App\diag
Files related to InfoCollector, such as infocollector.bat should be in a specific location:
Example
C:\[Network Security Manager_INSTALL_DIR]\App\diag\InfoCollector
2
Run the following batch file:
C:\[Network Security Manager_INSTALL_DIR]\App\diag\InfoCollector\infocollector.bat
Using InfoCollector tool
To use InfoCollector, follow these steps:
Task
1
After you run InfoCollector, do one of the following:
•
If McAfee provides you with a definition file:
a
After you run InfoCollector, open the File menu and click Open Definition.
Figure 7-1 Navigating to Open Definition option
108
McAfee Network Security Platform 8.3
Troubleshooting Guide
7
Using the InfoCollector tool
Using InfoCollector tool
2
b
Select the definition file that McAfee sent you via email and click Select.
•
If McAfee instructs you to select InfoCollector checkboxes:
a
After you run InfoCollector, select the checkboxes as instructed by McAfee.
b
Select a Duration. Select Date to specify a start and end date, or select Last X Days.
c
Select the number of days from which InfoCollector should gather information.
d
Click Browse and select the path and filename of the output ZIP file.
Click Run.
Figure 7-2 Running selected files
3
Provide the output ZIP file to McAfee as recommended by McAfee Technical Support. You can send
the file via email or through FTP.
The output ZIP file contains the toolconfig.txt file, which lists the information that you have chosen
to provide McAfee.
McAfee Network Security Platform 8.3
Troubleshooting Guide
109
7
Using the InfoCollector tool
Using InfoCollector tool
110
McAfee Network Security Platform 8.3
Troubleshooting Guide
8
Automatically restarting a failed Manager
with Manager Watchdog
This section provides information on how the Manager Watchdog works, installing the Manager
Watchdog, starting the Manager Watchdog, using the Manager Watchdog in an MDR configuration, and
tracking the Manager Watchdog activities.
Contents
Introduction
How the Manager Watchdog works
Install the Manager Watchdog
Start the Manager Watchdog
Use the Manager Watchdog with Manager in an MDR configuration
Track the Manager Watchdog activities
Introduction
The Manager Watchdog feature is designed to restart the Manager if the Manager crashes, potentially
bringing the Manager back online before MDR enables.
The Manager Watchdog monitors the Manager process on the Manager server periodically for
availability. If Manager Watchdog detects that the Manager has gone down unexpectedly, it restarts
the service automatically. (It does not restart the Manager if the Manager has been shut down
intentionally.)
How the Manager Watchdog works
Manager Watchdog runs as a separate process and monitors Manager through the Windows OS
Services model. Manager Watchdog polls Manager every 10 seconds. If the Manager Watchdog does
not detect the Manager during a polling period, it waits 30 seconds and then restarts the Manager
service automatically. Manager Watchdog will make five attempts to restart the Manager and then, if it
has not succeeded, it will exit.
Manager Watchdog, by default, is a manual service; you must explicitly start it.
You can instead change this setting to be automatic if you wish the service to start automatically after a
system reboot.
If you have chosen to change the Manager service setting from its default (Auto) to "Manual," (during a
troubleshooting session, for example) then consider doing the same for Manager Watchdog. This will
prevent the Manager Watchdog from restarting Manager automatically.
McAfee Network Security Platform 8.3
Troubleshooting Guide
111
8
Automatically restarting a failed Manager with Manager Watchdog
Install the Manager Watchdog
Install the Manager Watchdog
Manager Watchdog is installed automatically during Manager installation, and a new OS service called
"Network Security Platform Watchdog Service" is created to enable you to start and stop the Manager
Watchdog service. When you first install the Manager, this service is started automatically. However,
the default Windows Startup Type for this service is manual.
Manager Watchdog monitors only the "Network Security PlatformMgr" service; it does not monitor
services like MySQL or Apache.
Start the Manager Watchdog
The Manager watchdog process is, by default, not started after installation; you must start the
Manager watchdog process manually.
To start/stop Manager Watchdog:
Task
1
Select Start | Settings | Control Panel. Double-click Administrative Tools, and then double-click Services.
2
Click Network Security Platform Watchdog Service.
3
Do one of the following:
•
To start the service, select Action | Start.
•
To stop the service, selectAction | Stop.
Alternatively, you can also use the Manager icon in the Windows system tray to start or stop
Manager Watchdog. Right-click on the Manager icon at the bottom-right corner of your server and
select Start Watchdog or Stop Watchdog as required.
Use the Manager Watchdog with Manager in an MDR
configuration
When using Manager Watchdog on an Manager that is part of an MDR configuration, consider whether
you want the Manager Watchdog to restart the Manager before failover can occur. If so, you must
ensure that the value set for the MDR setting "Downtime Before Switchover" is greater than the
Manager Watchdog setting of 30 seconds. This prevents the initiation of MDR, wherein the peer
Manager takes over if the primary Manager fails. McAfee suggests retaining the default value of 5
minutes or greater to allow the Manager Watchdog time to restart the Manager.
If the Manager Watchdog brings up a primary Manager after MDR has initiated, note that the primary
Manager does not come back Active; it checks first to determine whether the secondary is Active and
if so, remains as standby.
Track the Manager Watchdog activities
The Manager Watchdog logs all controlled activities in a log file. Log files can be found at:
/<Network Security Platform install directory>/ named with the filename convention
wdout_<<time stamp>>.log
112
McAfee Network Security Platform 8.3
Troubleshooting Guide
Automatically restarting a failed Manager with Manager Watchdog
Track the Manager Watchdog activities
8
A sample log file entry follows:
Sample Manager Watchdog Log
---------------------------------------------------------------------------------------------------------------------------Restarting server at Mon Jun 09 14:48:53 GMT+05:30 2006
SERVER STDOUT: The Network Security Platform Manager Service is starting.
SERVER STDOUT: The Network Security Platform Manager Service was started successfully.
SERVER STDOUT:
SERVER STDOUT:
---------------------------------------------------------------------------------------------------------------------------If the Manager Watchdog fails after five attempts to restart Manager, the following line appears in the
log file:
SERVER STDOUT: Failed to restart Manager after five attempts. Exiting. [kl]
McAfee Network Security Platform 8.3
Troubleshooting Guide
113
8
Automatically restarting a failed Manager with Manager Watchdog
Track the Manager Watchdog activities
114
McAfee Network Security Platform 8.3
Troubleshooting Guide
9
Utilize of the McAfee KnowledgeBase
The McAfee Knowledgebase (KB) contains a large number of useful articles designed to answer specific
questions that might not have been addressed elsewhere in the documentation set. We suggest
checking to see if a question you have is answered in a KB article.
To access McAfee Knowledgebase:
Go to http://mysupport.mcafee.com, and click Search the KnowledgeBase.
The following list contains some of the more commonly accessed KB articles.
New Number Topic
KB55446
All signature set releases with links to signature set release notes
KB55447
All UDS releases and release notes of the UDS's (this is a restricted article and
requires the user to log into service portal or be internal)
KB55448
Table displaying the current versions for McAfee® Network Security Platform
KB55449
Listing of McAfee Network Security Platform's response to high profile public
vulnerabilities
KB55450
How to request coverage for a threat that isn't already covered
KB55451
List of all McAfee Recommended for Blocking (RFB) attacks
KB55318
Sensor heat dissipation rates (BTUs per hour)
KB60660
Verifying MySQL Database Tables
KB55470
Network Security Platform maximum number of CIDR blocks using VIDS
KB55549
Collecting a diagnostics trace from the McAfee Network Security Sensor (Sensor)
KB55568
VLAN limitations for Network Security Platform
KB55723
Maximum number of SSL keys for McAfee Network Security Manager (Manager) or
Sensor
KB55743
How to submit Network Security Platform false positives and incorrect detections to
McAfee Support
KB55908
Support for legacy versions
KB55364
Asymmetric traffic
KB56069
"Login failed: Unable to get the McAfee Network Security Manager (Manager) license
information"
KB56071
Configuring authentication on the Manager for the update server
KB56364
3rd Party Recommended Hardware for Sensors
Error: Download Failed: Reason 42: Sensor fails to apply new updates
internally(Sensor signature updates fails)
Network Security Platform Release Notes (Master List)
McAfee Network Security Platform 8.3
Troubleshooting Guide
115
9
Utilize of the McAfee KnowledgeBase
New Number Topic
116
KB59347
Sensor is reporting false DOS attacks / New network device is added and Sensor is
now reporting DOS attacks
KB59344
Recover the password for the Manager
McAfee Network Security Platform 8.3
Troubleshooting Guide
Index
A
I
about this guide 5
InfoCollector tool 107
C
K
conventions and icons used in this guide 5
correct identification
user sensitivity 30
KnowledgeBase 115
M
Manager watchdog 111
McAfee ServicePortal, accessing 6
D
data link errors 27
documentation
audience for this guide 5
product-specific, finding 6
typographical conventions and icons 5
S
ServicePortal, finding product documentation 6
sniffer trace 27
system fault messages 33
E
T
error messages 93
technical support, finding product information 6
troubleshooting tips 7
F
false positives 29, 30
false positives determination
tuning policies 29
McAfee Network Security Platform 8.3
Troubleshooting Guide
117
0C00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement