VMware NSX IDPS (Intrusion Detection and Prevention Service) may randomly flap on NSX-T manager appliance and IDPS statistics/metrics show zero values
search cancel

VMware NSX IDPS (Intrusion Detection and Prevention Service) may randomly flap on NSX-T manager appliance and IDPS statistics/metrics show zero values

book

Article ID: 322641

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

Symptoms:

  • The IDPS (Intrusion Detection and Prevention System) service flaps randomly on the NSX manager appliance from a degraded state to a running state.
  • IDPS monitoring metrics and statistics show zero values.
  • On the NSX-T manager we see IDPS core dumps in /image/core/idps_oom.hprof
  • When we run the following GET API, we see that the download status is pending.

GET https://{{NSX Manager IP}}/policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures/status

"download_status" : "PENDING",
  "signature_status" : "UNAVAILABLE",
  "version_id" : "IDPSSignatures.1718.2023-06-09T22:45:07Z",
  "resource_type" : "IdsSignatureStatus",
  "id" : "status",
  "display_name" : "status",
  "path" : "/infra/settings/firewall/security/intrusion-services/signatures/status",
  "relative_path" : "status",
  "parent_path" : "/infra",
  "unique_id" : "",
  "realization_id" : "",
  "marked_for_delete" : false,
  "overridden" : false,
  "_create_time" : ,
  "_create_user" : "system",
  "_last_modified_time" : ,
  "_last_modified_user" : "system",
  "_system_owned" : false,
  "_protection" : "NOT_PROTECTED",
  "_revision" : 123
}

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 4.x
VMware NSX-T Data Center 3.x

Cause

This issue occurs when signature processing gets stuck in a pending status, which leads to logs not rolling over and an excessive number of signatures being stored. This causes the JVM process to consume excessive memory, which leads to the service going OOM (Out of Memory) and crashing, creating core dumps.

Resolution

This is a known issue impacting VMware NSX.

Workaround:

To reset the IDPS signature download processing, please follow the below steps.

1. Get the IdsSignature Status using the GET API below.

GET https://<NSX-Manager-IP>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures/status


2. Then update the IdsSignature Status using the below API.

PATCH https://<NSX-Manager-IP>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures/status


 Use the response which we get from STEP 1 as the request body PATCH API above.
 Just change the value of "download_status" from "PENDING" to "ERROR" other fields will remain the same.
 

 Sample :
 {
  "download_status" : "ERROR",
  "signature_status" : "UNAVAILABLE",
  "version_id" : "IDPSSignatures.1718.2023-06-09T22:45:07Z",
  "resource_type" : "IdsSignatureStatus",
  "id" : "status",
  "display_name" : "status",
  "path" : "/infra/settings/firewall/security/intrusion-services/signatures/status",
  "relative_path" : "status",
  "parent_path" : "/infra",
  "unique_id" : "",
  "realization_id" : "",
  "marked_for_delete" : false,
  "overridden" : false,
  "_create_time" : ,
  "_create_user" : "system",
  "_last_modified_time" : ,
  "_last_modified_user" : "system",
  "_system_owned" : false,
  "_protection" : "NOT_PROTECTED",
  "_revision" : 123
}


To validate whether the IdsSignatureStatus is updated successfully, use the GET API mentioned in step one and check whether the download_status is set to "ERROR".

Once this is complete, wait for the download status to show the following status "download_status": "READY".

3. Once this is validated, you must ensure that only three signature bundles are in the system.

NOTE: You do not need to delete or modify the DEFAULT version, ACTIVE version and the version that had ACTIVE status previous to the current ACTIVE bundle. 

The three signature bundles that are required.

1. ACTIVE version (i.e. the version with "state" as "ACTIVE"),
2. Default Version (i.e. the version with version_id as "DEFAULT")
3. The Version which is older than the ACTIVE Version. ( That is the bundle with the closest time and date to the active bundle, i.e., the previous active bundle before the current Active bundle.)

We need to delete any other signature bundles present on the system.

3a. To get the version ID, please use the API mentioned below and then try to delete one version at a time.

 GET. https://<NSX-Manager-IP>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signature-versions


3b. We need to clean these objects one by one using the below Delete API  request until only the three signature bundles mentioned above are left.

DELETE https://<NSX-Manager-IP>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signature-versions/<Version-id>

 

Sample Signature Bundles:
"version_id" : "IDPSSignatures.1711.2023-01-01T14:46:24Z"
"version_id" : "IDPSSignatures.1712.2023-01-01T15:46:00Z" 


3c. Once complete, verify that only three signature bundles are in the system by re-running the GET request in step 3a.

 

Powered by Wolken Software