Troubleshoot a Secure Device Connector
Use these topics to troubleshoot an on-premises Secure Device Connector (SDC).
If none of these scenarios match yours, open a case with Cisco Technical Assistance Center.
SDC is Unreachable
An SDC is in the state "Unreachable" if it has failed to respond to two heartbeat requests from Security Cloud Control in a row. If your SDC is unreachable, your tenant will not be able to communicate with any of the devices you have onboarded.
Security Cloud Control indicates that an SDC is unreachable in these ways:
-
You see the message, “Some Secure Device Connectors (SDC) are unreachable. You will not be able to communicate with devices associated with these SDCs.” on the Security Cloud Control home page.
-
The SDC's status in the Services page is "Unreachable."
Frist, attempt to reconnect the SDC to your tenant to resolve this issue:
-
Check that the SDC virtual machine is running and can reach a Security Cloud Control IP address in your region. See Connect Security Cloud Control to your Managed Devices.
-
Attempt to reconnect Security Cloud Control and the SDC by requesting a heartbeat manually. If the SDC responds to a heartbeat request, it will return to "Active" status. To request a heartbeat manually:
-
In the left pane, choose
. -
Click the SDC that is unreachable.
-
In the Actions pane, click Request Heartbeat.
-
Click Reconnect.
-
-
If the SDC does not return to the Active status after manually attempting to reconnect it to your tenant, follow the instructions in SDC Status not Active on Security Cloud Control after Deployment.
.
SDC Status not Active on Security Cloud Control after Deployment
If Security Cloud Control does not indicate that your SDC is active in about 10 minutes after deployment, connect to the SDC VM using SSH using the
Security Cloud Control
user and password you created when you deployed the SDC.
Procedure
Step 1 |
Review
|
Step 2 |
If after reviewing the log and running |
Changed IP Address of the SDC is not Reflected in Security Cloud Control
If you changed the IP address of the SDC, it will not be reflected in Security Cloud Control until after 3:00 AM GMT.
Troubleshoot Device Connectivity with the SDC
Use this tool to test connectivity from Security Cloud Control, through the Secure Device Connector (SDC) to your device. You may want to test this connectivity if your device fails to onboard or if you want to determine, before on-boarding, if Security Cloud Control can reach your device.
Procedure
Step 1 |
In the left pane, click , and click the Secure Connectors tab. |
Step 2 |
Select the SDC. |
Step 3 |
In the Troubleshooting pane on the right, click Device Connectivity. |
Step 4 |
Enter a valid IP address or FQDN and port number of the device you are attempting to troubleshoot, or attempting to connect to, and click Go. Security Cloud Control performs the following verifications: |
Step 5 |
If you continue to have issues onboarding or connecting to the device, contact Security Cloud Control support. |
Intermittent or No Connectivity with SDC
The solution discussed in this section applies only to an on-premise Secure Device Connector (SDC).
Symptom: Intermittent or no connectivity with SDC.
Diagnosis: This problem may occur if the disk space is almost full (above 80%).
Perform the following steps to check the disk space usage.
-
Open the console for your Secure Device Connector (SDC) VM.
-
Log in with the username cdo.
-
Enter the password created during the initial login.
-
First, check the amount of free disk space by typing df -h to confirm that there is no free disk space available.
You can confirm that the disk space was consumed by the Docker. The normal disk usage is expected to be under 2 Gigabytes.
-
To see the disk usage of the Docker folder,
execute sudo du -h /var/lib/docker | sort -h.
You can see the disk space usage of the Docker folder.
Procedure
If the disk space usage of the Docker folder is almost full, define the following in the docker config file:
-
Max-size: To force a log rotation once the current file reaches the maximum size.
-
Max-file: To delete excess rotated log files when the maximum limit it reached.
Perform the following:
-
Execute sudo vi /etc/docker/daemon.json.
-
Insert the following lines to the file.
{
"log-driver": "json-file",
"log-opts": {"max-size": "100m", "max-file": "5" }
}
-
Press ESC and then type :wq! to write the changes and close the file.
Note
You can execute sudo cat /etc/docker/daemon.json to verify the changes made to the file.
-
Execute sudo systemctl restart docker to restart the docker file.
It will take a few minutes for the changes to take effect. You can execute sudo du -h /var/lib/docker | sort -h to see the updated disk usage of the docker folder.
-
Execute df -h to verify that the free disk size has increased.
-
Before your SDC status can change from Unreachable to Active, you must go to the Secure Connectors tab which you can navigate to from and click Request Reconnect from the Actions menu.
Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc
The Cisco Product Security Incident Response Team (PSIRT) published the security advisory cisco-sa-20190215-runc which describes a high-severity vulnerability in Docker. Read the entire PSIRT team advisory for a full explanation of the vulnerability.
This vulnerability impacts all Security Cloud Control customers:
-
Customers using Security Cloud Control's cloud-deployed Secure Device Connector (SDC) do not need to do anything as the remediation steps have already been performed by the Security Cloud Control Operations Team.
-
Customers using an SDC deployed on-premise need to upgrade their SDC host to use the latest Docker version. They can do so by using the following instructions:
Updating a Security Cloud Control-Standard SDC Host
Use these instructions if you deployed an SDC using the Security Cloud Control image.
Procedure
Step 1 |
Connect to your SDC host using SSH or the hypervisor console. |
||
Step 2 |
Check the version of your Docker service by running this command:
|
||
Step 3 |
If you are running one of the latest virtual machines (VMs) you should see output like this: It's possible you may see an older version here. |
||
Step 4 |
Run the following commands to update Docker and restart the service:
|
||
Step 5 |
Run the docker version command again. You should see this output:
|
||
Step 6 |
You are done. You have now upgraded to the latest, and patched, version of Docker. |
Updating a Custom SDC Host
If you have created your own SDC host you will need to follow the instructions to update based on how you installed Docker. If you used CentOS, yum and Docker-ce (the community edition) the preceding procedure will work.
If you have installed Docker-ee (the enterprise edtion) or used an alternate method to install Docker, the fixed versions of Docker may be different. You can check the Docker page to determine the correct versions to install: Docker Security Update and Container Security Best Practices.
Bug Tracking
Cisco is continuing to evaluate this vulnerability and will update the advisory as additional information becomes available. After the advisory is marked Final, you can refer to the associated Cisco bug for further details:
Invalid System Time
Security Cloud Control is adapting a new way of communicating with the Secure Device Connector (SDC). To facilitate this, Security Cloud Control must migrate your existing SDC to the new communication method by February 1, 2024.
Note |
If your SDC is not migrated by February 1, 2024, Security Cloud Control will no longer be able to communicate with your devices through the SDC. |
Security Cloud Control's operations team attempted to migrate your SDC but was unsuccessful because your SDC system time was 15 minutes ahead or behind the AWS system time.
Please follow the steps below to correct the system time issue. Once this problem is resolved, we will be able to proceed with the migration.Procedure
Step 1 |
Login to your SDC VM throught the VM terminal or by making an SSH connection. |
Step 2 |
At the prompt, enter |
Step 3 |
You are now going to respond to the SDC setup questions as if you are were setting up the SDC for the first time. Re-enter all the same passwords and network information as you had before, except take special note of the NTP server address:
|
Step 4 |
Validate that your time server is reachable and synchronized with your SDC by
entering |
What to do next
Contact the Cisco Technical Assistance Center (TAC) once you have completed these steps, or in case you encounter any errors. Once you have successfully completed these steps, the Security Cloud Control operations team can complete your SDC migration to the new communication method.
SDC version is lower than 202311****
Security Cloud Control is adapting a new way of communicating with the Secure Device Connector (SDC). To facilitate this, Security Cloud Control must migrate your existing SDC to the new communication method by February 1, 2024.
Note |
If your SDC is not migrated by February 1, 2024, Security Cloud Control will no longer be able to communicate with your devices through the SDC. |
Security Cloud Control's operations team attempted to migrate your SDC but was unsuccessful because your tenant is running a version lower than 202311****.
The current version of your SDC is listed on the Secure Connectors page by navigating from the Security Cloud Control menu bar, . After selecting your SDC, its version number is found in the Details pane on the right of the screen.
Please follow the steps below to upgrade the SDC version. Once this problem is resolved, Security Cloud Control operations will be able to run the migration process again.Procedure
Step 1 |
Log in to the SDC VM and authenticate. |
Step 2 |
At the prompt, enter |
Step 3 |
At the prompt, enter If you receive the message |
Step 4 |
At the prompt, enter |
Step 5 |
Verify the new version of the SDC:
|
What to do next
Contact the Cisco Technical Assistance Center (TAC) once you have completed these steps, or in case you encounter any errors. Once you have successfully completed these steps, the Security Cloud Control operations team can run the migration process again.
Certificate or Connection errors with AWS servers
Security Cloud Control is adapting a new way of communicating with the Secure Device Connector (SDC). To facilitate this, Security Cloud Control must migrate your existing SDC to the new communication method by February 1, 2024.
Note |
If your SDC is not migrated by February 1, 2024, Security Cloud Control will no longer be able to communicate with your devices through the SDC. |
Please follow the steps below to correct the connection issue. Once this problem is resolved, we will be able to proceed with the migration.
Procedure
Step 1 |
Create firewall rules that allow outbound proxy connections, on port 443, to the domains in your region:
|
||||
Step 2 |
You can determine the full list of IP addresses you need to add to your firewall's "allow list" by using one of the commands below.
|
What to do next
Contact the Cisco Technical Assistance Center (TAC) once you have completed these steps, or in case you encounter any errors. Once you have successfully completed these steps, the Security Cloud Control operations team can complete your SDC migration to the new communication method.