Troubleshooting

Troubleshooting Deployment of Firewall Threat Defense Container

  • Issue: Pod stuck in pending state

    Cause: Insufficient resources (hugepages, CPU, memory, SR-IOV VFs)

    Workaround:

    • Check the events.

      kubectl describe pod <pod-name>

    • Verify hugepages on the node.

      kubectl describe node <node-name> | grep hugepages

    • Verify SR-IOV resources.

      kubectl describe node <node-name> | grep intel.com

  • Issue: Pod CrashLoopBackOff

    Cause: Configuration issues or insufficient shared memory

    Workaround:

    • Check the logs.

      kubectl logs --previous

    • Increase shmSize if necessary.

      helm upgrade ftdc . --set ftdc.shmSize=4Gi

  • Issue: Network interfaces not working

    Cause: CNI misconfiguration

    Workaround:

    • Check NetworkAttachmentDefinitions

      kubectl get net-attach-def -o yaml

    • Verify pod annotations.

      kubectl get pod <pod-name> -o jsonpath='{.metadata.annotations}'

    • Check interface-config ConfigMap.

      kubectl get configmap interface-config -o yaml

  • Issue: Management Center registration failed

    Cause: Network connectivity or credential issues

    Workaround:

    • Check ftd-manager logs.

      kubectl logs -l app=ftd-manager

    • Verify Management Center credentials secret.

      kubectl get secret fmc-credentials -o yaml

    • Test Management Center connectivity from pod.

      kubectl exec -it -- curl -k https://<fmc-ip>

  • Issue: MetalLB not Assigning IP address

    Cause: IPAddressPool misconfiguration

    Workaround:

    • Check IPAddressPool.

      kubectl get ipaddresspool -n metallb-system

    • Check L2Advertisement.

      kubectl get l2advertisement -n metallb-system

    • Check MetalLB controller logs.

      kubectl logs -n metallb-system -l app=metallb,component=controller

  • Issue: SNMP polling not working

    Cause: SNMP requests may fail due to misconfiguration, missing NAT rules, or Kubernetes SNAT behavior.

    Workaround:

    • Verify SNMP configuration.

      Ensure SNMP host configuration is correct:

      show running-config snmp-server

      show snmp-server statistics

    • Verify snmpd process.

      In expert mode, ensure SNMP daemon is running and listening on UDP port 161:

      $ ps aux | grep snmpd

      $ netstat -ulnp | grep 161

    • Verify iptables rules.

      Ensure SNMP traffic is allowed and NAT rules are present:

      $ sudo iptables -L INPUT -n | grep 161

      $ sudo iptables -t nat -L -n | grep 161

    • Capture SNMP traffic.

      Capture packets on management interface:

      $ sudo tcpdump -i eth0 -n udp port 161 -v

    • Identify source IP address behavior (Kubernetes only).

      Compare source IP address in packet capture with configured SNMP host:

      In Docker: Source IP address = SNMP client IP address

      In Kubernetes: Source IP address = Node IP address (due to SNAT)

      If mismatch is observed, update SNMP configuration to use Kubernetes node IP address.