OPERATIONAL DEFECT DATABASE
...
...
Problems downloading IDS\IPS signatures in NSX-T. It appears to go into Updating IDS Signatures and never completes."Update Now" hyperlink becomes available just like if the Signatures download from NSX Threat Intel Cloud ( https://api.prod.nsxti.vmware.com/) was successful. However if we click on hyperlink the task never completes a few minutes later minutes "Update Now" hyperlink becomes available again.You see an Exception while authenticating with cloud client under policy.log.Log location --- var/log/policy/policy.log 2021-08-30T16:01:30.749Z INFO http-nio-127.0.0.1-6440-exec-13 FacadeInterceptorHelperImpl 15321 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] Starting intent for /policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures/status with reqID c22d8457-f5f0-4da0-aaee-2504f6a49fe52021-08-30T16:01:31.600Z ERROR asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" errorCode="MP523677" level="ERROR" subcomp="policy"] Got Exception while authenticating with cloud client - org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"error_code":100104,"error_message":"Unable to retrieve required information"}]org.springframework.web.client.HttpClientErrorException$Forbidden: 403 Forbidden: [{"error_code":100104,"error_message":"Unable to retrieve required information"}] at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:109) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE] at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE] at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:112) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE] at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE] at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782) ~[spring-web-5.2.6.RELEASE.jar:5.2.6.RELEASE..truncated...2021-08-30T16:01:31.600Z INFO asyncExecutor-1 IdsSignatureUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] IDS- Cloud Authentication failed, will try to register again2021-08-30T16:01:31.600Z INFO asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] IDS - Triggering the Signature download from NSX Intel Cloud2021-08-30T16:01:31.600Z INFO asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] IDS- Re-registering with NSX Intel Cloud.2021-08-30T16:01:31.603Z INFO asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] IDS: Getting the license info2021-08-30T16:01:31.603Z WARN asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="policy"] No Enforcement point found2021-08-30T16:01:31.603Z ERROR asyncExecutor-1 PolicyIDSUtils 15321 POLICY [nsx@6876 comp="nsx-manager" errorCode="MP523681" level="ERROR" subcomp="policy"] NSX Data Center Distributed Threat Prevention key not present. IDS need Threat License Key in order to work.2021-08-30T16:01:31.604Z ERROR asyncExecutor-1 SimpleAsyncUncaughtExceptionHandler 15321 Unexpected exception occurred invoking async method: public void com.vmware.nsx.management.policy.ids.utils.IDSOnDemandScheduler.startDownload()com.vmware.nsx.management.common.exceptions.InvalidArgumentException: null at com.vmware.nsx.management.policy.ids.utils.PolicyIDSUtils.registerCloudCacheClient(PolicyIDSUtils.java:434) ~[libpolicy-framework-api.jar:?] at com.vmware.nsx.management.policy.ids.utils.PolicyIDSUtils.downloadSignatures(PolicyIDSUtils.java:571) ~[libpolicy-framework-api.jar:?]truncated...Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.
When authentication with NTICS fails, we try to register again, and for registration, we need the license information.In a federated system, there is an issue while fetching the licenses due to a dependency failure. Hence the signature download fails.This issue can occur only in a federated system or in an LM that has multiple enforcement points (for e.g AVI Loadbalancer or CVX).
This Issue related to global-manager and local-manager enforcement point is already fixed on version code 3.2 Impactor.
We can use the "Offline Downloading and Uploading Signatures" method described on the Admin guide DOC : https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-4BB9A5FA-3B45-498E-AB9F-71B17A4012A0.html
As of NSX-T 3.1.2 we changed the signature download URL and are now downloading sigs from the NSX Threat Intel Cloud ( https://api.prod.nsxti.vmware.com/)
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
