Skip to main content

Troubleshooting

Forcing re-synchronization of Active Directory and vCenter integrations in GravityZone

This topic explains how to force re-synchronization of Active Directory and vCenter integrations in GravityZone Control Center.

GravityZone allows you to integrate with Active Directory and vCenter Server to reduce the effort of deploying and managing protection for physical and virtual machines.

Issue

In some cases, the Active Directory and vCenter inventories may not be visible in GravityZone Control Center because of a synchronization issue. To overcome this problem, you need to force the re-synchronization of each integration.

Solution

Re-synchronize Active Directory Integration

  1. Go to Configuration > Active Directory > Domains.

  2. Select the Active Directory integration from the list.

  3. Click the Force Re-Sync button from the action toolbar.

    16317_1.png

Re-synchronize vCenter Integration

  1. Go to Configuration > Virtualization Providers.

  2. In the Action column of the table, click the Edit button of the vCenter Server integration.

  3. In the configuration window, click the Save button to force re-synchronization.

    16317_2.png

Video tutorial

You can watch a video tutorial on the topic here.

Out of sync GravityZone integrations

In this topic, you will learn how to troubleshoot out-of-sync errors for several server infrastructure integrations with GravityZone.

GravityZone (on-premises) integrates server infrastructure inventories. Errors could occur when the integration process encounters an issue where it is unable to resolve it on its own.

You can receive out of sync error messages for the following integrations:

  • VMware vCenter Server

  • Citrix XenServer

  • Nutanix Prism Element

  • Active Directory

Out of sync error message

Actions

Invalid Credentials

This error message is triggered by outdated credentials.

To update your credentials:

1. Go to Configuration > Virtualization > Providers.

2. Click the edit button to open the integration screen.

3. In the Authentication section enter your credentials.

4. Click Save.

Connection error

This message can be triggered by a disconnected network interface.

Check network connectivity between GravityZone and your server infrastructure integration.

Host is slave

This message is triggered only for Citrix XenServer integrations.

Only one Master host exists per cluster, with other slave hosts. When Master host fails, the Slave host becomes a Master.

Follow these steps to change the IP address to match the new Master host:

1. Go to Configuration > Virtualization > Providers.

2. Click the edit button to open the integration screen.

3. In the Hostname field, type your new Master host IP address.

4. Click Save.

Certificate error

This message is triggered when a certificate lifecycle has expired.

Follow these steps to renew your certificate:

1. Go to Configuration > Virtualization > Providers.

2. Click the edit button to open the integration screen.

3. Click Save.

4. Click Accept to renew your certificate.

Host is unknown to master

This message is triggered only for Citrix XenServer integrations.

For more information, refer to the following Citrix KB article.

Insufficient user rights

This error message is specific to a scenario in which a user does not receive rights when you configure the integration.

Unknown error

There are many types of errors that have affected the integration.

Open an email ticket to further investigate this error message.

Troubleshooting the issues affecting the Active Directory integration with GravityZone

Through the Active Directory integration, the existing Active Directory inventory is imported into Control Center, simplifying security deployment, management, monitoring and reporting. Active Directory users can be assigned different user roles in Control Center.

The most common error messages when configuring the Active Directory integration are related to:

Connectivity between the GravityZone appliance and domain controller or DNS resolution issues.

If GravityZone appliance is not able to resolve the name of the domain or is not able to reach the domain controller, use the following steps to troubleshoot this issue:

  1. Verify the network settings configured for GravityZone (especially the gateway and DNS servers).

  2. Make sure that the IP assigned to GravityZone is not being used by another device within your network.

  3. Make sure the appliance can reach the domain controller port 389 or 636 if you have SSL authentication enabled by using the following commands:

    # telnet dc_name port
    # telnet dc_name port
    
  4. Make sure the appliance can resolve the domain name and domain controller name by using the following commands:

    # ping domain_name
    # ping dc_name
    

“Invalid username or password” - The username and password couldn’t be validated.

Follow these steps to troubleshoot this issue:

  1. Make sure the username and the password configured in Control Center are correct by logging in to a domain machine or domain controller with the same credentials or try using another account.

  2. If the account was newly created for the integration, make sure that the option User must change password at next logon is disabled.

If there is an issue saving the Active Directory (AD) settings, or if the screen freezes after clicking the Save button, connect to the GravityZone appliance using SSH and check:

  • RabbitMQ service is started on the GravityZone appliance:

    # service rabbitmq-server status
  • RabbitMQ cluster status:

    # rabbitmqctl cluster_status
  • Processors status:

    # ps aux | grep php

Issues affecting the vCenter integration with GravityZone

This section explains how to troubleshoot issues affecting the vCenter integration with GravityZone.

Through the VMware vCenter integration, the existing VMware vCenter inventory is imported into Control Center, simplifying security deployment, management, monitoring and reporting.

Note

If the following steps do not resolve the issue, contact the Bitdefender Enterprise Support team and attach full logs together with outputs from the following commands.

The most common error messages when configuring the VMware vCenter integration are related to:

Connectivity between the GravityZone machine and VMware vCenter or DNS resolution issues

GravityZone appliance is not able to resolve the name of the VMware vCenter or is not able to reach the domain controller. Use the following steps to investigate this:

  • Verify the network settings configured for GravityZone (especially the gateway and DNS servers).

  • Make sure that the IP assigned to GravityZone is not being used by another device within your network.

  • Make sure the appliance can reach the VMware vCenter on port 443:

    # telnet vcenter port

  • Make sure the appliance can resolve the domain name and domain controller name:

    # ping vcenter

Invalid username or password

The username and password do not have vCenter Administrator permissions. To troubleshoot this issue, follow these steps:

  1. Make sure the username and the password configured in Control Center are correct (login to vSphere Client with the same credentials or try using another account).

  2. Make sure the user used for integration has vCenter Administrator permissions:

    26209_1.png

Unable to save vCenter settings or the screen freezes after pressing the Save button

If you are unable to save the vCenter settings or after pressing Save button the screen frozen, connect through SSH to the GravityZone machine and check:

  • If the RabbitMQ service is started on the GravityZone machine:

    # service rabbitmq-server status

  • The RabbitMQ cluster status:

    # rabbitmqctl cluster_status

  • The processors status:

    # ps aux | grep php

GravityZone On-Premises integration with Amazon EC2

This section presents the prerequisites and some basic troubleshooting steps for integrating GravityZone (on-premises) with an Amazon EC2 inventory.

As an Amazon EC2 customer, you can integrate the inventory of EC2 instances grouped by Regions and Availability Zones with the GravityZone network inventory.

Prerequisites

  • A company administrator account in a fully functional on-premise GravityZone console, able to communicate with the address of your specific AWS EC2 region:

    • ec2.[aws-region].amazonaws.com:44 (you can view the full list here)

  • An active AWS IAM service account with the following privileges:

    • Programmatic access (access / secret key)

    • IAMReadOnlyAccess

    • AmazonEC2ReadOnlyAccess for all required AWS regions

Troubleshooting

If you fail to create an Amazon EC2 integration in GravityZone, or the integration becomes out of sync, check the following possible causes and solutions:

Issue

Solution

The AWS account linked to the provided credentials is missing one or both of the required permissions (IAMReadOnlyAccess and AmazonEC2ReadOnlyAccess).

Access the AWS user roles and policies and add all the required permissions.

The recently modified AWS account user permissions have not yet propagated all across AWS, while creating the AWS integration in GravityZone.

Wait for a few minutes, and then try again to configure the integration.

The AWS policy linked to the AWS user account includes only a part of the specific regions (for example: us-east-1, or us-east-1 and us-east-2). We only support integrations for AWS user accounts with access rights on all regions.

Apply the AWS user account with AmazonEC2ReadOnlyAccess permission for all the required EC2 regions.

Some Amazon EC2 regions are unavailable. GravityZone requires connectivity to all AWS regions when creating the integration or synchronizing the AWS inventory. When GravityZone cannot communicate with one or several regions, the integration fails or becomes out of sync. Possible reason: outage of the corresponding AWS regions.

Check the AWS regions status page and try again to create / synchronize the integration when the outage is solved.

Trying to create multiple Amazon EC2 integrations using the same AWS account. GravityZone supports multiple AWS EC2 integrations based on access and secret keys of different AWS accounts. It is not possible to create two Amazon EC2 integrations using the same AWS account, even when providing two sets of access and secret keys.

Use a set of credentials of a user created under a different AWS account, when trying to create another Amazon EC2 integration in GravityZone.

The provided secret and access keys are no longer valid or available, and the integration becomes out of sync.

Access the AWS account and create another key pair for the corresponding IAM user.

Your firewall is blocking the communication between GravityZone appliance and AWS.

Configure the firewall (or a proxy) to allow network access between GravityZone and AWS.