Error: Interface out of sync

This error occurs when the network interface information (such as different MAC addresses) that the Deep Security Manager has stored in its database for the guest virtual machine (VM) is not the same as the interface information being reported by the Deep Security Virtual Appliance.

To determine the root cause of this issue, you need to find out where the information has become out of sync.

The first step is to check the error message from Deep Security Manager to determine which VM and which interface has the issue.

Check the interfaces on the VM

  1. Log into the VM.
  2. Open a command prompt.
  3. Enter the command to display all network interfaces' information. For example, on Windows, enter: ipconfig /all
  4. Verify all of the NICs and MAC addresses and make sure that the NICs have the correct driver and that they are working properly.

Check the VM's interface information in vCenter

Check the VM interface information from the Managed Object Reference (MoRef) in the vCenter Server.

  1. Go to the virtual computer MOB at:https://<VC_SERVER>/mob/?moid=<OBJECT_ID>

    For example, you might go to this URL: https://192.168.100.100/mob/?moid=vm-1136&doPath=config

    where:

    <VC_SERVER> is the FQDN or IP of the vCenter Server

    =<OBJECT_ID> is the ID of the object you are looking up

    For more information on accessing the VC MOB see Looking up Managed Object Reference (MoRef) in vCenter Server.

  2. Go to Config > extraConfig["ethernet0.filter0……"] > hardware to check all the NICs and MAC address.
  3. Compare the MAC addresses with the MAC in the VM's OS.

Check the vmx file and the VM's interface information in Deep Security Manager

  1. Use the vCenter Server datastore browser to download the VM's vmx file.
  2. Open the vmx file using a plain text editor such as Notepad.

  3. Check the IPs, uuid.bios, and MAC addresses.

    For example:

    Check virtual computer UUID
    - uuid.bios = "42 23 d6 5d f2 d5 22 41-87 41 86 83 ea 2f 23 ac"
    Check EPSec Settings
    - VFILE.globaloptions = "svmip=169.254.50.39 svmport=8888"
    - scsi0:0.filters = "VFILE"
    Check DvFilter Settings
    - ethernet0.filter0.name = "dvfilter-dsa"
    - ethernet0.filter0.onFailure = "failOpen"
    - ethernet0.filter0.param0 = "4223d65d-f2d5-2241-8741-8683ea2f23ac"
    - ethernet0.filter0.param2 = "1"
    - ethernet0.filter0.param1 = "00:50:56:A3:02:D8"

  4. Go to the Deep Security Manager dashboard, double-click the VM > Interfaces, and verify the IPs and MAC addresses.
  5. Compare the IP and MAC address with the results from above.

Check the VM's interface information in the Deep Security Virtual Appliance

  1. Use the vCenter Server datastore browser to download the specific vmx file of the virtual computer.
  2. Open the vmx file using a plain text editor such as Notepad.
  3. Check the uuid.bios value.
  4. Log on to the Deep Security Virtual Appliance console and press Alt + F2 to switch to command mode and then enter the Deep Security Virtual Appliance user name and password.
  5. Run the following command to determine whether the VM's network interface was recognized by Deep Security Virtual Appliance. (Note: Replace $uuid with your actual bios uuid.)

    6. cd /var/opt/ds_agent/guests/$uuid

    >/opt/ds_guest_agent/ratt if

  6. Execute the ifconfig -a command to verify if the Deep Security Virtual Appliance NIC settings and IP are configured correctly.
  7. Compare the IP and MAC address with the results from above.

Workaround Options

If any of the above items are out of sync then you need to fix this issue.

Option 1

When cloning an activated VM in Deep Security, you might receive the out-of-sync interface alert if you power on and activate the cloned computer. As a work around, clean the dvfilter settings before powering on the cloned computer.

  • ethernet0.filter0.name = "dvfilter-dsa"
  • ethernet0.filter0.onFailure = "failOpen"
  • ethernet0.filter0.param0 = "4223d65d-f2d5-2241-8741-8683ea2f23ac"
  • ethernet0.filter0.param2 = "1"
  • ethernet0.filter0.param1 = "00:50:56:A3:02:D8"

Option 2

  1. Suspend the VM and power it on again.
  2. Restart the Deep Security Virtual Appliance.
  3. Deactivate the VM and then activate it again.

Option 3

Use vMotion to move the VM to a protected ESXi host and then dismiss the warning message.

The vCenter must be connected to the Deep Security Manager all the time. Otherwise, the out-of-sync interface issue will happen repeatedly.

Further Troubleshooting

  1. Provide the results of the step from above where you verified the IP and MAC Addresses in Check the VM's interface information in the Deep Security Virtual Appliance
  2. Get the rattif.txt file from the step from above where you verified that the VM's interface was recognized by Deep Security Virtual Appliance.

  3. Get the output from the following commands:

    $ ls -alR > /home/dsva/ls.txt
    $ netstat -an > /home/dsva/netstat.txt
    $ ps auxww > /home/dsva/ps.txt
    $ lsof > /home/dsva/lsof.txt
    $ ifconfig -a > /home/dsva/ifconfig.txt
    $ cp /var/log/syslog /home/dsva/syslog.txt

  4. Get the diagnostic packages for the Deep Security Manager, Deep Security Agent, and the Deep Security Virtual Appliance.
  5. Collect the following files and send them to Trend Micro Technical Support.
  • rattif.txt
  • ls.txt
  • netstat.txt
  • ps.txt
  • lsof.txt
  • ifconfig.txt
  • syslog.txt

If you cannot find the MAC address of the virtual computer from the output of the ratt if command, then use the following workaround:

  1. Deploy a virtual computer from a template in vCenter.
  2. Delete the existing NIC.
  3. Power on this virtual computer but there is no need to log on.
  4. Power off this virtual computer.
  5. Add a new NIC.
  6. Power on the virtual computer.