The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to troubleshoot various issues that could occur while Cisco VSG is communicating with the Virtual Supervisor Module (VSM), Virtual Ethernet Module (VEM), Cisco Virtual Network Management Center (VNMC), or Hyper-V Server.
This section describes how to troubleshoot issues with the Cisco VSG and VSM interactions.
The port profile used to bring up the data interface of the Cisco VSG should not have any vn service or org configured.
This example shows how to use a port profile to bring up the Cisco VSG data interface:
Make sure that you add the Cisco VSG service VLAN and HA VLAN as part of the allowed VLAN. Without adding this information into the allowed VLAN, Cisco VSGs may not pair. If you have a Cisco VSG on one VEM and the VMs to be firewalled are on another VEM, you must make sure that the Cisco VSG service VLAN is added as the allowed VLAN.
This example shows how to display the VLAN configurations:
For the port profiles that are used to protect the VMs, make sure that you provide the correct vn service IP (the exact data 0 IP address of the Cisco VSG), and the service VLAN and the security profile name. Make sure under the org that you have configured the tenant name as root/Tenant-cisco.
This section describes how to troubleshoot issues with Cisco VSG and VEM interactions.
This section includes the following topics:
Sometimes, when policies are configured on Cisco VSG and the data traffic is sent from the VMs, traffic flows through the Cisco Nexus 1000V Series Switch as if the firewall service is not enabled on the port.
Go to the prompt to execute the vemcmd commands, for example, cd \\Program File(x86)\Cisco\Nexus1000V and do the following:
Verify if the LTL is found as follows:
The VSG Licenses Available message should display a nonzero value in the output.
Note All vemcmd commands can be executed by logging into the Hyper-V.
When policies are configured on the Cisco VSG to permit a certain type of traffic, but the traffic does not reach the destination, a complete failure can result.
The Virtual Ethernet Modules (VEMs) have not learned the MAC address of the Cisco VSG.
Check if the Cisco VSG MAC address is learned on all the VEMs that host the protected VMs involved in the communication by entering the vemcmd show vsn config command on the VEM.
This example shows how to display the Cisco VSG configuration:
The VNS Licenses available message should display a nonzero value.
You can find the MAC address of the Cisco VSG by entering the show interface control 0 command.
This example shows how to display information on the interface for the Cisco VSG:
To troubleshoot, you should manually check if the VSG service (control 0) interface is bound to the correct port profile and VLAN configured.
You can check the Cisco VSG service interface assignment on the VEM by entering the vemcmd show command.
This example shows how to check the Cisco VSG service interface assignment on the VEM:
The Cisco VSG VM name should be displayed as part of the output.
You can display the port profile that is associated with the Cisco VSG service interface by entering the show port-profile name pp-name command on the VSM.
If the Cisco VSG is bound to the proper port profile and has the correct service VLAN, check the upstream switches. Ensure that this service VLAN is configured across all ports in all upstream switches to which all the VEMs (those talking to Cisco VSG) are connected.
You can ensure that the service VLAN is configured and enabled (active) on the VSM by entering the show vlan command.
This example shows how to display the VLAN configurations:
When policy decisions are inconsistent with port-profile changes, either of these conditions can exist:
Because of the existing flows, the old policy decision is continued.
Administrators must clear the flows in the vPath and Cisco VSG when the policy is modified.
You can use the vPath ping command to determine the connectivity between the Cisco VSG and the VEM.
This example shows how to ping the Cisco VSG connections and determine if they are reachable:
This example shows how to display VSN ping options:
This example shows how to display VSN ping options for all source modules:
This example shows how to set up a ping for all source modules from a specified IP address:
This example shows to set up a ping for all vPath source modules for a specified IP address:
This example shows how to set up a ping for all source modules of a specified IP address with a time-out and a count:
After registering the VSM to the Cisco VNMC, you can check the status of the VSM and Cisco VNMC policy agents by entering the show vnm-pa status command.
This example shows how to check the status:
If there is a failure, there can be several reasons. One failure could be because Cisco VNMC is unreachable or dead. Ping the Cisco VNMC IP to check for a response. If there is no response, look at the network connectivity.
Another reason could occur because of the wrong shared secret.
This example shows the results of this type of failure:
Provide the correct password and register again.
On the Cisco VNMC GUI, on the Administration > Service Registry > Clients tab, make sure that the registered VSM is shown as registered under the Oper State column.
On the Cisco VNMC GUI, make sure that the org is configured in the same way as in the port profile. The registered VSM should also be available under the Resources > Virtual Supervisor Modules. If the org is not properly configured on the port profile, the Config State will display as “org-not-found” under the port profiles tab of the registered VSM. After editing the port profile with the correct org name, the Config State changes to OK.
After registering the Cisco VSG to the Cisco VNMC, you can check the status by entering the show vnm-pa status command.
This example shows how to check the Cisco VSG registration status:
If there is a failure, there can be several reasons. One failure could be because Cisco VNMC is unreachable or dead. Ping the Cisco VNMC IP to check for a response. If there is no response, look at the network connectivity.
Another reason could occur because of the wrong shared secret.
This example shows how to display the results of this type of failure:
Provide the correct password and register again.
On the Cisco VNMC GUI, on the Administration > Service Registry > Clients tab, make sure that the registered VSG is shown as registered under the Oper State column.