How to monitor ProxySG registration with Director

book

Article ID: 167369

calendar_today

Updated On:

Products

Mobility Threat Protection Director

Issue/Introduction

Monitor the registration process on the Director appliance

Resolution

To monitor the interaction your Director appliance has with the SG appliance as it registers it, follow these steps.

1: Getting access to the command line interface - CLI:

  • Open an SSH session to the Director box.

  • Enter Enable mode by following the steps.

director > enable

< >

director #

  •  Enter Configuration mode, by following these steps.

director # config t

director (config) #

2: Getting access to the shell.

  • In config mode, use the shell command.

director (config) # shell

  • While in the shell mode, you can use the SSH and ping to see if the Director can even connect to the ProxySG.

  • In the shell mode tail the messages file.

sh-2,05b# tail /var/log/messages -f

 

3: Registering your device through the Director Management Console (DMC)

  • Once you're logged into the DMC, click on File, and chose the option to Add Device.

  • Here you'll be asked to enter a device name, device id, ip address, usernames and passwords, plus a serial number.

  • Ensure you have entered the correct ip addresses, credentials, and serial number and press the button "last".

 

4: Other ways to register

  • Using the ProxySG serial port, you can choose the option here to register your ProxySG as you set up the appliance.

  • Connected through the SSH terminal, you can execute this command.

ProxySG appliance > #register <Director IP address> [<appliance-name> [<serial-number>]]

  • There is also an option in the ProxySG GUI to register your device.

  • TIP: Using the ProxySG to register with the Director, rather than using the DMC, subjugates the device to the Director.  Subjugating the device to the Director will also cause your enable passwords to be hashed, and stored in the DIrector appliance. From here on, you should NOT change these passwords manually at the ProxySG console, or by an overlay file. The only way you should change the password is by right-clicking on the device, in your DMC, and changing it here.

 

5: Here we show you what to look for when you register a Device.  

5a: As you register the device, using the DMC wizard, you should see an output similar to the following:

Note: Below is the output in the messages file.  Using the DMC, we entered in StSG200-5GtSG200-5G  as the device name, 10.78.6.1 as the ip address. and SG402 as the device id.

Mar  1 19:57:52 Martins-Director cli[16187]: <-cli.notice> [email protected]::ffff:10.103.0.30: Processing command: 1299009472398973:device "SG402" address "10.78.6.2"
Mar  1 19:57:52 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009472912429:device "SG402" authtype simple
Mar  1 19:57:53 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009473377657:no device "SG402" comment
Mar  1 19:57:53 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing a secure command...
Mar  1 19:57:53 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: device SG402 enable-password *****
Mar  1 19:57:56 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009476310213:device "SG402" name "StSG200-5GtSG200-5G"
Mar  1 19:57:56 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009476782366:device "SG402" protocol sshv2 port 22
Mar  1 19:57:57 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009477144403:device "SG402" auth simple username "admin"
Mar  1 19:57:57 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing a secure command...
Mar  1 19:57:57 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: device SG402 auth simple password *****
Mar  1 19:57:57 Martins-Director ccd: <ccd.notice> Device SG402: attempting connection using ssh on port: 22
Mar  1 19:57:58 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009478206083:device "SG402" web-config port 8082
Mar  1 19:57:58 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009478701829:no device "SG402" front-panel-pin
Mar  1 19:57:59 Martins-Director ccd: <ccd.notice> Device SG402: connected
Mar  1 19:57:59 Martins-Director configd: <configd.notice> Device "SG402" is now online.
Mar  1 19:57:59 Martins-Director dmd: <dmd.notice> inserted device id = SG402 and serial number = 2407063068 into DB
Mar  1 19:57:59 Martins-Director dmd: <dmd.notice> Health state for metric"SG402/12" "disconnected" changed to "ok", reason: "Device connection"
Mar  1 19:57:59 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009479195643:no device "SG402" serial-console-password
Mar  1 19:57:59 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009479724907:device "SG402" serial-number "2407063068"
Mar  1 19:58:00 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009480253307:device "SG402" state "registered"
Mar  1 19:58:00 Martins-Director cli[15976]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009480946503:write memory
Mar  1 19:58:00 Martins-Director configd: <configd.notice> Saved running configuration to /local/sys/v5-config/initial.encrypted
Mar  1 19:58:01 Martins-Director su: PAM unable to dlopen(/dir/usr/lib/pam/pam_tacplus.so)
Mar  1 19:58:01 Martins-Director su: PAM [dlerror: /dir/usr/lib/libtacplus.so: undefined symbol: MD5Init]
Mar  1 19:58:01 Martins-Director su: PAM adding faulty module: /dir/usr/lib/pam/pam_tacplus.so
Mar  1 19:58:01 Martins-Director cli[15970]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009481651130:show configuration revision
Mar  1 19:58:02 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009482354706:no configure
Mar  1 19:58:02 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Leaving config mode
Mar  1 19:59:57 Martins-Director poller[1474]: <poller.notice> Querying content system for job results.
Mar  1 20:01:57 Martins-Director cli[15970]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009717280787:show version
Mar  1 20:01:58 Martins-Director cli[15972]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009718123555:show version
Mar  1 20:02:51 Martins-Director cli[15976]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009771878409:show version
Mar  1 20:04:38 Martins-Director cli[16015]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009878721788:show devices "SG402"
Mar  1 20:05:48 Martins-Director cli[16187]: <-cli.notice>
[email protected]::ffff:10.103.0.30: Processing command: 1299009948205826:show version
sh-2.05b#

 

5b: Below is the output when you use the ProxySG CLI, or GUI,  to subjugate the ProxySG appliance to the Director appliance:

Jul 26 18:36:23 director subjugate: <subjugate.notice> Registration request received
Jul 26 18:36:26 director ccd: <ccd.notice> Device ESCMWP02: attempting connection using ssh on port: 22
Jul 26 18:36:26 director configd: <configd.notice> Saved running configuration  to /local/sys/v5-config/061711backup.encrypted
Jul 26 18:36:26 director subjugate: <subjugate.notice> Registration succeeded for device 151.143.150.251
Jul 26 18:36:26 director cli[12984]: <-cli.notice>
[email protected]::ffff:151.143.73.97: Processing command: 1311705386701531:show devices "ESCMWP02"
Jul 26 18:36:26 director cli[2547]: <-cli.notice>
[email protected]::ffff:151.143.73.97: Processing command: 1311705386701143:show devices "ESCMWP02"
Jul 26 18:36:26 director cli[2541]: <-cli.notice>
[email protected]::ffff:151.143.73.97: Processing command: 1311705386701355:show devices "ESCMWP02"
Jul 26 18:36:26 director ccd: <ccd.notice> Device ESCMWP02: connected Jul 26 18:36:26 director configd: <configd.notice> Device "ESCMWP02" is now
online.

Jul 26 18:36:26 director configd: <configd.notice> Device "ESCMWP02" is now online.
Jul 26 18:36:26 director sshd: authentication failure; (uid=0) -> admin for sshd service
Jul 26 18:36:26 director dmd: <dmd.notice> inserted device id = ESCMWP02 and serial number = 0310103039 into DB
Jul 26 18:36:27 director dmd: <dmd.notice> Health state for metric"ESCMWP02/12" "disconnected" changed to "ok", reason: "Device connection"

 

6: To register your ProxySG,  you need to be able to PING, and SSH to the ProxySG from the Director appliance. 

 

7:  TIPS for retaining connectivity with ProxySG appliances: 

7a: Director Software periodically checks the connection status of all ProxySGs every 3 to 5 minutes. The ’show shell' or a 'show version' is used to test the connection out. If we cannot contact a ProxySG in this time period, we close the connection the ProxySG.  

Because of the above, it's important to monitor network health, and outages, to ensure the Director appliance is not giving out false status alerts on the DMC.

 

7b: Check your LAN interface stats for network related errors.

  • Notice the eth0 interface stats on on this linux command in the Director:

==================== ifconfig -a:
eth0      Link encap:Ethernet  HWaddr 00:E0:81:B7:33:08
          inet addr:159.220.193.84  Bcast:159.220.193.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:81ff:feb7:3308/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3618226 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5433354 errors:4625 dropped:0 overruns:0 carrier:4625
          collisions:12413 txqueuelen:100
          RX bytes:444517353 (423.9 Mb)  TX bytes:568973093 (542.6 Mb)
          Base address:0xc000 Memory:f8000000-f8020000

  • There are 4625 transmit errors... and all of those errors are "carrier" errors (both numbers match).
  • Carrier is typically a low number less than 10. The value- Carrier- means a Loss of link pulse. Sometimes recreated by removing and installing the Ethernet cable. If this counter is high, the link is flapping. (up/down) Either this Ethernet chip is having issues or the device at the other end of the cable is having issues

8: Ensure you can connect to your ProxySG on the standard SSH port of 22.  Some customers accidentally change their SSH port with an overlay file, and thereby lose connectivity to it. You can use an ordinary Putty ssh session for this.

9: Ensure you can ping and SSH to the ProxySG appliance, as per point 4 above.

10: If you subjugate a device, do not attempt to change the password through an overlay file.