Skip to main content

Illumio Core 24.5 Administration Guide

VEN Clone Detection and Remediation

Note

Currently, this feature is available to only a limited number of organizations and not enabled by default.

When a workload is cloned, the installed VEN is also cloned. Cloned VENs can cause significant load and consistency issues for the PCE. Clones may also generate redundant heartbeats and conflicting policy synchronization events, often triggered by frequent IP changes or duplicated host identities.

To address these issues, the PCE detects cloned workloads so that the associated cloned VEN can be assigned (either automatically or manually) a unique identity distinct from the original VEN. This is known as remediation.

Clone Detection Signals

  • Event Log: When a clone is detected, the PCE generates a Workload Clone Alert and logs the event agent.clone_detected in the Event log.

The following applies only to detected, unremediated VEN clones (pending manual remediation).

  • PCE UI: A red error icon appears on Servers & Endpoints > Workloads > VENs, and the cloned VEN’s details page displays “VEN clone detected.” You can also search for cloned VENs by filtering for “VEN clone detected.”

  • REST API: The Illumio REST API represents clone detection with the clone_detected state.

VEN Clone Remediation by Operating System & Illumio Release

There are two types of remediation: Automatic and Manual. The remediation type available in a given case depends on:

  • The workload's operating system

  • The version of the VEN and the PCE

Supported Remediation Type

Operating System

Supported Illumio PCE & VEN Version

Automatic

Windows (domain-joined)

All versions

Windows (non-domain-joined)

25.2.40 and later VENs, paired with these PCEs:

  • 25.2.40-PCE

  • 26.2.x-PCE and later

Automatic remediation is not supported on PCE versions 25.4.x, 26.1.x and 26.10.x.

Linux & Solaris

Manual

Windows (non-domain-joined)

Pre-25.2.40

Linux & Solaris

AIX

All versions

Understanding Remediation Types

Automatic Remediation

Important

See the support information detailed in the above the table.

Automatic Remediation automatically pairs detected clones with the PCE without requiring user intervention. As part of this process, the cloned VEN is assigned its own identity and becomes a distinct agent separate from the original VEN. Pairing is synonymous with activating the VEN.

Manual Remediation

When automatic remediation isn't possible, perform the following steps to manually remediate cloned VENs:

  1. Filter for "VEN clone detected" in Servers & Workloads > Workloads > VENs tab.

  2. Deactivate and unpair the cloned VEN(s).

  3. Pair the VEN with the PCE. See Pairing Profiles and Scripts.