The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to troubleshoot issues that might occur on the policy engine.
This chapter includes the following sections:
When there are policy engine issues, use these commands to troubleshoot:
When policies or rules do not work as expected, do the following:
A policy or rule with VM attributes requires additional data for the Cisco VSG to evaluate the policy engine. This data, if not complete, can result in incorrect or not applicable hits in the statistics. When the policy or rule is configured with VM attributes, make sure that you see VM information in the following outputs:
To enable firewall protection for a VM, you must configure the vn-service and org CLI in the port profile at the VSM—this enables access to IP addresses and other network attributes for the VM.
To turn on firewall protection for the server VM (any traffic to or from server VM is protected by the Cisco VSG but not the client VM), write a rule saying that the source with the Source IP address and destination with the Destination VM IP is permitted by doing the following:
Confirm that the buffers in use are not zero by entering the show ac-driver statistics command. If zero, check/fix the adapter type.
Microsoft Hyper-V offers the choice between network adapter and legacy network adapter; use the regular network adapter for each interface.