"SSP trust rollout failed for a sensor" alarm is triggered when a sensor fails to complete the SSP (Security Services Platform) trust certificate rollout task within the designated time period or if the sensor marks the rotation task as failed. This indicates an issue with the sensor's ability to obtain and update necessary security certificates.

vDefend SSP >= 5.1
NDR Sensor >= 5.1

The sensor was unable to automatically update its SSP trust certificates within the designated time period or the sensor was unable to update the certificates and marked the task as failed. Most often this could be due to network issues preventing certificate downloads or the Sensor was in powered off state.

Please follow these troubleshooting steps from the NDR Sensor CLI using admin credentials to diagnose and resolve the issue

1. Check connectivity status on the sensor: The SSP's certificates may have been changed recently due to certificate rotation or updation of ingress certificate. It might be worth checking, if the certificate change has caused any issues. 

Run the command the below command to check the communication status of sensor with SSP

ndr-sensor> get sensor details

If the "Error message" in the output of the above CLI is either -"I/O error on PUT request for "https://<ssp-ingress>:443/sensors/appliances/<sensor-id>/status": PKIX path building failed" or "Access to SSP from this sensor is unauthorised or forbidden. If this error persists, then it is likely that this sensor may have been off-boarded from SSP", the recommendation is to re-register the sensor. Then invoke the reset of registration. 

ndr-sensor> reset registration

Generate a new registration token from the SSP under System > NDR Sensors > Sensor Registration Tokens. Register the sensor again. 

ndr-sensor> register sensor registration-manifest <registration-token> sensor-name <Sensor-name>
passphrase: 

Note: Even after a sensor's registration is reset via the command line or the sensor is off boarded from SSP, the data it generated for verticals - NDR, NTA, and MPS will be retained by the verticals within SSP. The time for which the data is retained is driven by the vertical's data retention policies.

2. Check for temporary issues: The sensor may be restarting or experiencing a temporary network issue. Wait for 15 minutes to see if the sensor reconnects on its own.

3. Verify the power state of the sensor: Check if the sensor is powered off in vSphere. Power on the Sensor and wait for 15 minutes for the alarm to be auto-resolved.

4. Verify Network Connectivity: Ensure the sensor has a valid network path to SSP. Check for any firewalls or network devices that might be blocking traffic between the sensor and SSP.

Note: The SSP FQDN/IP cannot be ping-ed or traceroute-d for security reasons. So, running diagnostic tools like ping and traceroute from the sensor to the SSP FQDN/IP will not work.

5. Verify DNS configuration: Verify the Sensor's DNS configuration and ensure it can resolve the SSP's FQDN.

ndr-sensor> nslookup <ssp-ingress-fqdn> 

Verify if name-servers are set in case the management interface is configured with static IP.

ndr-sensor> get name-servers
ndr-sensor> get search-domains

If not configured, add required name-servers and search domains when management interface is configured with static IP. 

ndr-sensor> set name-servers <ip-address>
ndr-sensor> set search-domains <domain>

If the issue still persists, then it is advisable to collect the NDR Sensor support bundle (refer documentation for how to collect support bundle) and raise a support ticket