IDPS Message Transmission Failure Alarm
search cancel

IDPS Message Transmission Failure Alarm

book

Article ID: 330482

calendar_today

Updated On: 11-08-2024

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Alarm for IDPS Message transmission failure
Event ID: distributed_ids_ips.message_transmission_failure

Alarm Description

  • Purpose: Data Transmission failure between ESX host and messaging broker
  • Impact: Since there is a message transmission failure between the ESX host and the messaging broker, some IDPS messages and / or PCAPs may be lost.

Environment

VMware NSX 4.2.1

NAPP 4.2

Cause

"Message Transmission Failed" alarm is raised by the IDPS client. The IDPS event message goes through to the NAPP server. 
We rely on the rdkafka library to tell us that the channel to the broker is down. 

Resolution

Steps to resolve the issue : 
  • Check for connectivity issues between NSX Manager and the ESX host.

  • Issue the NAPP health API https://< NSX MANAGER >/napp/api/v1/platform/monitor/feature/health on the NSX manager and check if the component by the name 'kafka' appears as healthy. If kafka is unhealthy, check output of the following commands on the NSX Manager.

    napp-k get statefulset kafka -o yaml
    napp-k describe statefulset kafka
    If kafka is healthy, check for SSL handshake error between IDPS agent and kafka broker. Keywords to look for – 'SSL handshake failed' and 'Nsxi: Kafka broker(s) are down.' in /var/log/nsx-syslog. If there is an SSL handshake error, restart proton on the node where the service COMMON_AGENT_SERVICE is the leader. You can determine where this service is the leader by issuing the 'get cluster status verbose' command on the NSX Manager.

  • Check if there is a network policy preventing communication between the transport node where the alarm is seen and the NAPP broker.