Unable to update IDS\IPS signatures in a Federated environment.
search cancel

Unable to update IDS\IPS signatures in a Federated environment.

book

Article ID: 314290

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
Problems downloading IDS\IPS signatures in NSX-T. It appears to go into Updating IDS Signatures and never completes.

"Update Now"  hyperlink becomes available  just like if the Signatures download from NSX Threat Intel Cloud ( https://api.prod.nsxti.vmware.com/) was successful. 

However if we click  on hyperlink the  task never completes a few minutes later minutes  "Update Now" hyperlink becomes available  again.

image.png

You see an Exception while authenticating with cloud client under policy.log.

Log location --- var/log/policy/policy.log 

2021-08-30T16:01:30.749Z  INFO http-nio-127.0.0.1-6440-exec-13 FacadeInterceptorHelperImpl 15321 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] Starting intent for /policy/api/v1/infra/settings/firewall/security/intrusion-
services/signatures/status with reqID c22d8457-f5f0-4da0-aaee-2504f6a49fe5
2021-08-30T16:01:31.600Z ERROR asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" errorCode="MP523677" level="ERROR" subcomp="policy"] Got Exception while authenticating with cloud client - org.springframework.web.c
lient.HttpClientErrorException$Forbidden: 403 Forbidden: [{"error_code":100104,"error_message":"Unable to retrieve required information"}]
org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"error_code":100104,"error_message":"Unable to retrieve required information"}]
        at
org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:109) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE]
        at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE]
        at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:112) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE]
        at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE]
        at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE..
truncated...
2021-08-30T16:01:31.600Z  INFO asyncExecutor-1 IdsSignatureUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] IDS- Cloud Authentication failed, will try to register again
2021-08-30T16:01:31.600Z  INFO asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] IDS - Triggering the Signature download from NSX Intel Cloud
2021-08-30T16:01:31.600Z  INFO asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] IDS- Re-registering with NSX Intel Cloud.
2021-08-30T16:01:31.603Z  INFO asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] IDS: Getting the license info
2021-08-30T16:01:31.603Z  WARN asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="policy"] No Enforcement point found
2021-08-30T16:01:31.603Z ERROR asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" errorCode="MP523681" level="ERROR" subcomp="policy"] NSX Data Center Distributed Threat Prevention key not present. IDS need Threat L
icense Key in order to work.
2021-08-30T16:01:31.604Z ERROR asyncExecutor-1 SimpleAsyncUncaughtExceptionHandler 15321 Unexpected exception occurred invoking async method: public void com.vmware.nsx.management.policy.ids.utils.IDSOnDemandScheduler.startDownload()
com.vmware.nsx.management.common.exceptions.InvalidArgumentException: null

        at com.vmware.nsx.management.policy.ids.utils.PolicyIDSUtils.registerCloudCacheClient(PolicyIDSUtils.java:434) ~[libpolicy-framework-api.jar:?]
        at com.vmware.nsx.management.policy.ids.utils.PolicyIDSUtils.downloadSignatures(PolicyIDSUtils.java:571) ~[libpolicy-framework-api.jar:?]
truncated...


Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center

Cause

When authentication with NTICS fails, we try to register again, and for registration, we need the license information.

In a federated system, there is an issue while fetching the licenses due to a dependency failure. Hence the signature download fails.

This issue can occur only in a federated system or in an LM that has multiple enforcement points (for e.g AVI Loadbalancer or CVX).

Resolution

This Issue related to global-manager and local-manager enforcement point is already fixed on version code 3.2 Impactor.

Workaround:
We can use the "Offline Downloading and Uploading Signatures"  method described on the Admin guide 

DOC : https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-4BB9A5FA-3B45-498E-AB9F-71B17A4012A0.html

Additional Information

As of NSX-T 3.1.2 we changed the signature download URL and are now downloading sigs from the NSX Threat Intel Cloud ( https://api.prod.nsxti.vmware.com/)