IBM Support

IBM Security Guardium appliance with multiple interfaces is removed from network after patch install

Troubleshooting


Problem

After installing a patch on Guardium v11.1 appliance, where p100 has been installed, it is no longer available on the network. When checking on the console, the cli user can log in and be used as normal, but ssh and other network connections do not work.

Cause

Specific patch installation on multi interface appliances exposes an underlying defect in v11.1 with an internal role map file.

Diagnosing The Problem

All conditions must be met for this problem to arise. If your appliance is off the network but not meeting these conditions this technote does not apply.
  1. Cli user can login from the console with no warning that the appliance is in recovery mode
  2. The appliance has more than one network interface defined
    • Show network interface inventory shows multiple interfaces with IP addresses assigned
  3. One of these patch install paths has been followed. The immediate patch install following p100 will trigger the problem:
    • p100->p200
    • p100->p106
    • p100->p115
    • p100->p106->p120
    • p100->p115->p120
    • p100->p106->p115->p120
  • Note - The following patch install paths do not trigger the problem:
    • Any appliance starting on v11.2 (p200)
    • Any appliance where p100 has not been installed
    • p100 -> p120

Resolving The Problem

A) If you have multi interface appliances that may trigger the problem
  • If possible, avoid the problem by following one of the patch install paths that do not trigger the problem. For example by installing p120 on top of p100.
  • If it will not be possible to avoid the problem, prepare to follow steps in part B after patch installation
B) If your appliance is off the network due to this problem
Follow these steps as cli user logged in to the console to resolve
1. Save the current network information from cli command output
  • IP, noting which interface is primary - show network interface all
  • Default route - show network route default
  • Secondary IP - show network interface secondary
  • DNS - show network resolver
  • Hostname - show system hostname
  • Domain - show system domain
Note if you had a static route configured, it will most likely be gone at this point and need to be added again in step 3
2. Reset the network settings by running in cli - store network interface reset
3. Store the network configuration settings captured in 1
  • store system hostname
  • store system domain
  • store network interface role <primary interface name> primary
  • store network interface ip
  • store network route defaultroute
  • store network resolver
  • store network interface ip secondary
  • store network routes static (only if required)
4. Restart network
C) If the above does not resolve, contact Guardium support and provide the steps already tried and command outputs

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001gKzAAI","label":"NETWORKING"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.1.0;11.2.0"}]

Document Information

Modified date:
01 October 2020

UID

ibm16336831

Page Feedback