Error: Interface out of sync

This error occurs when the interface information that the Deep Security Manager has stored in its database for the guest virtual machine is not the same as the interface information being reported by the Deep Security Virtual Appliance (for example, different MAC addresses).

To determine the root cause of this issue, you need to find out where the information has become out of sync.

The first step is to check the error message from Deep Security Manager to determine which virtual computer and which interface has the issue.

Check the specific virtual computer interfaces

  1. Log on to the virtual computer.
  2. Open a command prompt and type the following: ipconfig /all
  3. Verify all of the NICs and MAC addresses and make sure that the NICs have the correct driver and that they are working properly.

Check the virtual computer interface information in vCenter

  1. Check the VM interface information from the Managed Object Reference (MoRef) in the vCenter Server by accessing the virtual computer MOB from the web browser and going to: https://<VC_SERVER>/mob/?moid=<OBJECT_ID>

For example: https://192.168.100.100/mob/?moid=vm-1136&doPath=config

Where:

<VC_SERVER> is the FQDN or IP of the vCenter Server

=<OBJECT_ID> is the ID of the object you are looking up

For more information on accessing the VC MOB see Looking up Managed Object Reference (MoRef) in vCenter Server.

  1. Go to Config > extraConfig["ethernet0.filter0……"] > hardware to check all the NICs and MAC address.
  2. Compare the MAC addresses with step 3 from above: Verify all of the NICs and MAC addresses and make sure that the NICs have the correct driver and that they are working properly.

Check the vmx file and the virtual computer interface information in Deep Security Manager

  1. Use the vCenter Server datastore browser to download the specific vmx file of the virtual computer.
  2. Open the vmx file using Notepad and check the IPs, uuid.bios, and MAC addresses.
    For example:

Check virtual computer UUID
– uuid.bios = "42 23 d6 5d f2 d5 22 41-87 41 86 83 ea 2f 23 ac"
Check EPSec Settings
– VFILE.globaloptions = "svmip=169.254.50.39 svmport=8888"
– scsi0:0.filters = "VFILE“
Check DvFilter Settings
– ethernet0.filter0.name = "dvfilter-dsa"
– ethernet0.filter0.onFailure = "failOpen"
– ethernet0.filter0.param0 = "4223d65d-f2d5-2241-8741-8683ea2f23ac"
– ethernet0.filter0.param2 = "1"
– ethernet0.filter0.param1 = "00:50:56:A3:02:D8"

  1. Go to the Deep Security Manager dashboard, double-click the specific VM > Interfaces, and verify the IPs and MAC addresses.
  2. Compare the IP and MAC address with the results from above.

Check the virtual computer interface information in the Deep Security Virtual Appliance

  1. Use the vCenter Server datastore browser to download the specific vmx file of the virtual computer.
  2. Open the vmx file using Notepad and check the uuid.bios value.
  3. Log on to the Deep Security Virtual Appliance console and press Alt + F2 to switch to command mode and then enter the Deep Security Virtual Appliance user name and password.
  4. Run the following command to verify if the interface of the virtual computer was recognized by Deep Security Virtual Appliance.

    5. cd /var/opt/ds_agent/guests/$uuid (Note: Input your real uuid.bios to replace $uuid.)
    >/opt/ds_guest_agent/ratt if

  5. Execute the ifconfig –a command to verify if the Deep Security Virtual Appliance NIC settings and IP are configured correctly.
  6. Compare the IP and MAC address with the results from above.

Workaround Options

If any of the above items are out of sync then you need to fix this issue.

Option 1

When cloning an activated virtual computer in Deep Security, you might receive the interface out of sync alert if you power on and activate a virtual computer. As a work around, clean the dvfilter settings before powering on the cloned virtual computer.

  • ethernet0.filter0.name = "dvfilter-dsa"
  • ethernet0.filter0.onFailure = "failOpen"
  • ethernet0.filter0.param0 = "4223d65d-f2d5-2241-8741-8683ea2f23ac"
  • ethernet0.filter0.param2 = "1"
  • ethernet0.filter0.param1 = "00:50:56:A3:02:D8"

Option 2

  1. Suspend the specific virtual computer and power it on again.
  2. Restart the Deep Security Virtual Appliance.
  3. Deactivate the virtual computer and then activate it again.

Option 3

vMotion the specific VM to a protected host and then clean the warning message.

The vCenter must be connected to the Deep Security Manager all the time. Otherwise, the interface out of sync issue will happen often.

Further Troubleshooting

  1. Provide the results of this step from above: Compare the IP and MAC address with the results from above.
  2. Get the rattif.txt file from this step from above: Run the following command to verify if the interface of the virtual computer was recognized by Deep Security Virtual Appliance. .
  3. Get the output from the following commands:
    $ ls -alR > /home/dsva/ls.txt
    $ netstat -an > /home/dsva/netstat.txt
    $ ps auxww > /home/dsva/ps.txt
    $ lsof > /home/dsva/lsof.txt
    $ ifconfig –a > /home/dsva/ifconfig.txt
    $ cp /var/log/syslog /home/dsva/syslog.txt
  4. Get the diagnostic packages for the Deep Security Manager, Deep Security Agent, and the Deep Security Virtual Appliance.
  5. Collect the following files and send them to Trend Micro Technical Support.
  • rattif.txt
  • ls.txt
  • netstat.txt
  • ps.txt
  • lsof.txt
  • ifconfig.txt
  • syslog.txt

If you cannot find the MAC address of the virtual computer from the output of the ratt if command, then use the following workaround:

  1. Deploy a virtual computer from a template in vCenter.
  2. Delete the existing NIC.
  3. Power on this virtual computer but there is no need to log on.
  4. Power off this virtual computer.
  5. Add a new NIC.
  6. Power on the virtual computer.