The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to troubleshoot issues that might occur on the policy engine.
This chapter includes the following sections:
When there are policy engine issues, use these commands to troubleshoot:
When policies or rules do not work as expected, do the following:
A policy or rule with VM attributes requires additional data for the Cisco VSG to evaluate the policy engine. This data, if not complete, can result in incorrect or not applicable hits in the statistics. When the policy or rule is configured with VM attributes, make sure that you see VM information in the following outputs:
To enable firewall protection for a VM, you must configure the vn-service and org CLI in the port profile at the VSM—this enables access to IP addresses and other attributes for the VM.
To write policies or rules for VMs based on the vCenter attributes (and at the same time not be protected), configure the org CLI only in the port profile to enable learning of IP addresses and other attributes for the VM with no firewall protection (for example, a client VM running Windows OS and a server running the Linux OS). To turn on firewall protection for the server VM (any traffic to or from server VM is protected by the Cisco VSG but not the client VM), write a rule saying that the source with the Windows OS and destination with the Linux OS VM is permitted by doing the following:
Verify if the correct MAC address is displayed by entering the show vservice brief in the VSM. The MAC address should be the MAC address of the Cisco VSG data interface.
This example shows the show vservice brief output:
If the MAC address is correct, check the following:
When the Cisco VSG is deployed using the OVA format, the Cisco VSG does not have this issue because the adapter type is automatically correctly selected.