Troubleshooting
Problem
On Central Manager (CM), Patch distribution failed with error "Patch file SCP failed"
Symptom
You are trying to install a patch from the CM to the Managed Units and get error:
"Patch file SCP failed"
Cause
The Central Manager(CM) can't communicate with one or more of the Managed Units.
Environment
Guardium Central Manager
Diagnosing The Problem
- Run this command from the CM cli prompt:
support must_gather cm_issues - Download resulting file from the appliance and uncompress the file
- After uncompressing it, open file cm_output.txt and look for a section starting with:
=========<TIMESTAMP> ... Output of Ping Managed Units:============ - Carefully review the tests below this section. In this section, it will test communication with a
"ping" command, to each of the managed units.
Look for one or more of these tests which have failed with error:100% packet loss
For example, in this example below, 3 Managed Units were pinged; the first one failed with:100% packet loss
while the other two were successful as you can see:0% packet loss
For example:
=======2017-09-25 10:00:16 ... Output of Ping Managed Units:=========
PING <ip 1> (<ip 1>) 56(84) bytes of data.
--- 10.162.237.68 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 11002ms
PING <ip 2> (<ip 2>) 56(84) bytes of data.
64 bytes from 10.5.140.153: icmp_seq=1 ttl=63 time=0.298 ms
64 bytes from 10.5.140.153: icmp_seq=2 ttl=63 time=0.364 ms
--- 10.5.140.153 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
PING <ip 3> (<ip 3>) 56(84) bytes of data.
64 bytes from 10.5.140.154: icmp_seq=1 ttl=63 time=0.289 ms
64 bytes from 10.5.140.154: icmp_seq=2 ttl=63 time=0.335 ms
--- 10.5.140.154 ping statistics ---
...2 packets transmitted, 2 received, 0% packet loss, time 1000ms
Resolving The Problem
Resolve at network level the communication issue between the CM and Managed Unit.
- Work with your network team if necessary to make sure the Managed Unit is reachable at network level After it is fixed, validate this running this command from the Central Manager cli prompt and making sure it says 0% Packets loss:
ping <Managed Unit ip>
where <Managed Unit ip> is the IP address of the Managed Unit. - Make sure all the ports needed for communication between the CM and the Managed Unit are open, especially the TCP port 22 for SCP connectivity.
Reference technote Guardium v10.0/10.1/10.1.2/10.1.3 and v9.0/9.1/9.5 Open Ports (section Central Manager – Managed Devices) for details on port requirements.
==
Central Manager – Managed Devices
TCP 22 – SSH/SCP data transfers, both directions
TCP 8443 – SSL, both directions
TCP 8444 – SSL, STAP to GIM file upload. Note: For v10.1.3 and above, port 8444 (TLS, not-authenticated), will not be used by GIM clients anymore. This port is dedicated for must gather logger uploads, custom kernel uploads and V9 inspection engine discovery uploads.
TCP 3306 – MySQL, opened to specific sources (for instance, the Central Manager is open to all managed units; a managed unit is open to the Central Manager)
TLS 8447 - Used for remote messaging service infrastructure (and profile distribution infrastructure) for communication between Guardium systems in the federated environment / centrally-managed environment. Configuration profiles allow the definition of configuration and scheduling settings from a Central Manager and conveniently distribute those settings to managed unit groups without altering the configuration of the Central Manager itself.
==
Related Information
[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Central Manager and Aggregator","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0;10.0.1;10.1;10.1.2;10.1.3;9.0;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22009153