Sensor is disconnected from SSP
search cancel

Sensor is disconnected from SSP

book

Article ID: 408906

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

The "Sensor is disconnected from SSP" alarm is triggered when the Security Services Platform (SSP) has not received a heartbeat from the sensor for fifteen minutes. This indicates a potential connectivity issue between the sensor and the SSP.

Environment

vDefend SSP >= 5.1
NDR Sensor >= 5.1

Cause

1. Sensor appliance is down: The sensor appliance is restarting or powered off.

2. Connectivity issues: There is a temporary or permanent network disruption between the sensor and the SSP, which could include issues with firewalls, routers, or switches.

3. DNS misconfiguration: Incorrect DNS settings on the sensor are preventing it from resolving the SSP Ingress hostname.

4. Certificate rotation issues: The SSP ingress certificate has been updated, and the sensor does not have the new certificate.

Resolution

  1. Check for temporary issues: The sensor may be restarting or experiencing a temporary network issue. Wait for 15 minutes to see if the sensor reconnects on its own.

  2. Verify the power state of the sensor: Check if the sensor is powered off in vSphere. Power on the Sensor, or if the Sensor is no longer required then "offboard" the Sensor.

  3. Verify Network Connectivity: Ensure the sensor has a valid network path to the SSP. Check for any firewalls or network devices that might be blocking traffic between the sensor and SSP. Running diagnostic tools like ping and traceroute from the sensor can assist in such an investigation.

ndr-sensor> ping <hostname-or-ip-address>
ndr-sensor> traceroute <hostname-or-ip-address>

  4. Verify DNS configuration: Verify the sensor's DNS configuration and ensure it can resolve the SSP's hostname.

Verify if the SSP Ingress hostname can be resolved from the Sensor

ndr-sensor> nslookup <ssp-ingress-hostname> 

Verify if name-servers are set in case the management interface is configured with static IP.

ndr-sensor> get name-servers

5. Check SSP Ingress certificate on the sensor: The SSP's ingress certificate may have been changed recently due to certificate rotation or updation of ingress certificate.

Run the command the below command to check the SSP Ingress certificate stored on the sensor.

ndr-sensor> get certificate SSP-INGRESS


Validate the above certificate with SSP ingress certificate which is available under System > Certificates > Ingress on SSP > NAPP_PLATFORM_INGRESS

If Sensor still remains in disconnected state after following these steps, please contact support with the information you have gathered. Also, collect the NDR Sensor support bundle (refer documentation for how to collect support bundle) and raise a support ticket. 

Powered by Wolken Software