Skip to main content

Illumio Core 23.5 Install, Configure, Upgrade

Manage and Troubleshoot the Illumio LW-VEN

This section covers Illumio LW-VEN pairing and activation concepts, Illumio firewall rules, tamper detection, support bundle generation, common commands, and troubleshooting.

About Paring and Activation

The terms “activation” and “pairing” indicate the same function from different perspectives; namely, putting the workload under managed control by the PCE:

  • The LW-VEN sees itself as activated or deactivated.

  • The PCE sees an LW-VEN as paired or unpaired.

Pairing and Activating the LW-VEN

1

The LW-VEN is installed.

The PCE remains unaware the LW-VEN is present.

2

The LW-VEN and the PCE are paired.

The PCE uses a pairing key (activation code) to pair with the LW-VEN. After pairing, the PCE becomes aware of the LW-VEN.

3

The LW-VEN is activated.

The LW-VEN uses an activation code generated by the PCE. After activation, the LW-VEN is ready to function.

Unpairing, deactivating, and uninstalling the LW-VEN

Here's how these operations work in this solution:

  • Unpairing the LW-VEN through the PCE UI or by issuing illumio-lwven-ctl unpair unpairs the LW-VEN from the PCE and uninstalls the LW-VEN software.

  • Deactivating the LW-VEN by issuing illumio-lwven-ctl deactivate unpairs the LW-VEN from the PCE but doesn't remove the LW-VEN software.

  • Uninstalling the Illumio Legacy Windows VEN Service through the Windows Control Panel > Programs and Features:

    • Unpairs the LW-VEN from the PCE

    • Removes the Workload object from the PCE

    • Removes Illumio firewall rules and any working files

    • Uninstalls the LW-VEN software from the Windows server

View the Illumio rules applied to the native firewall

Illumio rules applied to the Windows Server's native firewall begin with Illumio. For example: IllumioInTcp14000Permit

There are two ways to view Illumio firewall rules:

  • Generate a Support Report and look in the Firewall.txt file.

  • Issue a command on the Windows Server:

Note

Using the findstr filter shows only the first line of the rule, not the entire rule.

  • Win 2003 SP1/SP2: C:\Users\Administrator> netsh firewall show portopening enable | findstr /R "Illumio.*"

  • Win 2008 SP1/SP2: C:\Users\Administrator> netsh advfirewall firewall show rule name=all | findstr /R "Illumio.*"

Tamper detection

The Illumio Legacy Windows VEN Service performs tamper checking whenever it heartbeats to the PCE (every 5 minutes) and discovers that there is no new policy to apply. Whenever the policy update check occurs, the Illumio Legacy Windows VEN Service checks whether the last-applied Illumio policy on the legacy server differs from the last applied policy from the PCE. If a difference is detected, the Legacy Windows VEN Service reverts the policy to the intended state so that the correct PCE security policy is enforced.

Support report

You can generate the Illumio Legacy Windows VEN Service support report. It includes the following information:

Firewall.txt: Lists all the rules currently programmed in the native Windows Firewall.

  • Logs specifying:

    • When policy was last received

    • When policy was last applied and what was applied

    • System information (output of the systeminfo command)

Generate a Support Report
Option 1:

This is the simplest way to generate a report.

Note

This option assumes that the LW-VEN is in a running state on the Windows Server.

  1. Go to Servers & Endpoints > Workloads > VENs

  2. Click the name of the LW-VEN you added to go to its details page.

  3. Click Generate Support Bundle.

The bundle is uploaded to the PCE (may take up to 10 minutes).

Option 2:

This option is useful if the LW-VEN is stopped due to a major problem.

  • Issue illumio-lwven-ctl support-report

The location of the report on the Windows server is returned after you issue the command. This report is not sent to the PCE.

Logs

The Illumio LW-VEN Service logs its operations locally on the Windows Server. Logs are rotated from primary to backup when their size reaches 10MB or once every 24 hours at midnight.

Location

  • 32-bit: C:\Program Files\Illumio LW-VEN Service\logs

  • 64-bit: C:\Program Files (x86)\Illumio LW-VEN Service\logs

Archive

By default, seven log archives are preserved on the workload.

Commands

You can issue the following commands to interact with the Illumio LW-VEN Service.

Note

  • Only the Illumio LW-VEN Service account user can issue illumio-lwven-ctl commands.

  • All commands include the prefix illumio-lwven-ctl

  • activate

  • status

  • restart

  • stop

  • start

  • unpair

    Removes the Illumio policy from the firewall, removes the LW-VEN from the PCE, and uninstalls the LW-VEN software from the Window's server. You can also uninstall the LW-VEN from the PCE by clicking Unpair for the appropriate LW-VEN on the PCE VEN page. With this unpairing method, it may take up to five minutes for the LW-VEN to be unpaired and uninstalled.

  • deactivate

    Removes the Illumio policy from the firewall; removes the PCE objects from the PCE and from the Illumio LW-VEN Service; does not remove the LW-VEN software from the installation directory (in case you want to later re-activate the LW-VEN without having to install the LW-VEN package).

  • support-report

  • suspend

    Suspends the Illumio LW-VEN Service and uninstalls Illumio policy from the firewall.

  • unsuspend

    Enables and starts the Illumio LW-VEN Service; retrieves and applies the latest PCE policy.

Troubleshooting

This section describes how to troubleshoot common issues.

Issue

Remediation

The Illumio Legacy Windows VEN Service stops.

Check logs: Windows Event Viewer Log Local Illumio logs

Problem receiving policy from the PCE.

Problem applying policy to the workload created by the Illumio Legacy Windows VEN Service.

Problem with the connection between the Illumio Legacy Windows VEN Service and the PCE.

The Illumio Legacy Windows VEN Service tries every five minutes to reconnect to the PCE.

Unable to install, stop, suspend, or unpair the Illumio Legacy Windows VEN Service.

These issues may be caused by the User Access Control (UAC) feature if it is enabled on your legacy Windows Server machines. UAC is a Windows security feature that prevents unauthorized changes to the operating system. Disable the User Access Control (UAC) feature if it is enabled.

Pairing the LW-VEN with the PCE fails; a message indicates that the pairing key was generated from a pairing profile with unsupported settings for this solution, such as the wrong Enforcement mode or Enforcement Node Type.

Obtain a properly-encoded pairing key (see STEP 2) and repeat STEP 3 and STEP 4.

LW-VEN fails to activate with the PCE.

Make sure the interface language of the user account used to activate and run the LW-VEN is set to any version of English. The LW-VEN requires English to parse the output of the systeminfo and ipconfig /a commands issued to extract system data about your Windows server (for example, host name, operating system, etc.):

  • Windows Server 2003: Click Start, point to Control Panel, and then click Regional and Language Options.

  • Windows Server 2008: Click Start, point to Control Panel, and then in the section Clock, Language, and Region, click Change display language.