bshearstone
Contributor
Contributor

vShield Endpoint and Deep Security v8 SP1

Hi,

I am running ESX 4.1 and I installed vShield Endpoint 5.01.  I am trying to install Deep Security 8.0 SP1.  After I prepare my ESX host, I get a vShield Endpoint alarm "vShield Endpoint Host Status" and I get the error message "Lost communication with ESX module" in the vShield Endpoint tab in vCenter.  My dsva activates fine and vShield is shown as installed and registered in Deep Security Manager.   The problem is that the anti-malware engine goes offline on my VMs.  I installed the vShield driver using the latest vmware tools.  Any help would be very appreciated.  Thanks.

Bill

0 Kudos
13 Replies
JonathanG
Enthusiast
Enthusiast

0 Kudos
bshearstone
Contributor
Contributor

Hi Jonathan,    

I am running ESX build 702113 and I tried that version (and the latest version) of ESX 5 vmtools.  Thanks.

Bill

0 Kudos
JonathanG
Enthusiast
Enthusiast

1. Run msinfo32 on the guest VM and verify that the driver vsepflt is loaded & running - see attachment

2. ssh to the ESXi and verify that the Endpoint module & filter driver are loaded - see attachment (run both commands)

3. any firewalls between components blocking ports 4118,4119,4120?

4. is Deep Security Manager, vShield Manager and vNIC1 of DSVA on the same vlan (or on vlans that can connect to one another?)

5. Did the non-routable vswitch get created on ESXi during the prepare? with ip address 169.254.50.1?

6. system time synchronized across all components?

0 Kudos
bshearstone
Contributor
Contributor

Hi Jonathan,

     1.  Yes, my vsepflt driver is running.

     2. I have a different output.   I don't have the epsec-vfile.

vmw-vshield-endpoint-mux-5.0.1-638861 2012-06-06T11:07:26 vShield Endpoint userworld broker and multiplexer
Trend-FilterDriver-8.0.0-1680         2012-06-06T13:54:35 vmware-esx-dvfilter-dsa: ESX release

I have no output from /usr/sbin/vmkload_mod -l|grep vfile

     3. No

     4. Yes

     5. Yes, but my IP is 169.254.1.1.

     6. Yes.

Thank you!

0 Kudos
Wikkie
Contributor
Contributor

Did you have a solution to your problem? I'm having the exact same problems, allthought it is with Kaspersky, but I think the problem is related to VMware, and not the AV.

0 Kudos
bshearstone
Contributor
Contributor

No, I don't have a solution yet.

0 Kudos
JonathanG
Enthusiast
Enthusiast

"bshearstone"

At this point I suggest calling Trend support, they will do a webex or similar troubleshooting session, reply back here if you need help with that process or send me a direct msg

0 Kudos
mellis99
Enthusiast
Enthusiast

I am having the same kind of issue, DSVA is not showing as a security VM in vshield.    

0 Kudos
mellis99
Enthusiast
Enthusiast

I just now fixed mine, check to make sure you can ping the DSVA appliance from the esx host. You can do this by SSH into esx then just ping. Also, if you are using vShield whichever version make sure you have the correct license installed AND assigned to the solution in licensing tab. The license does not say which version of vshield it is for but you can check in myvmware.

Let me know if that worked for you. Might work for kaspersky as well.

0 Kudos
Arrow1
Enthusiast
Enthusiast

Hi,

I had similar trouble while setting up a demo environment. I finally decided to upgrade my vCenter 4.1 to 5.0 still having ESX4.1 hypervisors and now all well works.

Regards

Regards Bernard
0 Kudos
bshearstone
Contributor
Contributor

I ended up upgrading my vShield Manager to 5.0.2 and it worked.  

0 Kudos
JonathanG
Enthusiast
Enthusiast

I am at VMworld with limited access to email

If the matter is very urgent please call my cellular phone: (650) 303 1092

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

0 Kudos
MarkStrong
Enthusiast
Enthusiast

I had a similar problem and the reason virtual machine Anti-Malware protection had status "Anti-Malware Engine Offline" is that the host had duplicate value in:

UserVars/VshieldEndpointSolutionsConfiguration

~ # esxcfg-advcfg --get /UserVars/VshieldEndpointSolutionsConfiguration
Value of VshieldEndpointSolutionsConfiguration is <id:7498352642083520512;ip:169.254.1.39;port:48651;><id:7498352642083520512;ip:169.254.1.39;port:48651;>

Delete duplicate values and restart vShield-Endpoint-Mux

See full blog post:

http://www.vstrong.info/2012/09/14/trend-micro-deep-security-anti-malware-engine-offline/

VCP5, VCP4 | VCAP4-DCD | MCITP | HP Master ASE | CCNA, Cisco UCS Support Specialist
0 Kudos