VEN and Workload States
This topic consolidates information about VEN and Workload states and identifies where they appear in the PCE. You can also find much of the same information in other topics throughout Illumio documentation.
Workload Connectivity
Possible states | Definition | PCE UI Locations |
|---|---|---|
Online | The workload is connected to the network and can communicate with the PCE. |
|
Offline | The workload is not connected to the network and cannot communicate with the PCE. | |
Unmanaged | No VEN is installed on the workload. |
Workload Policy Sync
Possible states | Definition | PCE UI Locations |
|---|---|---|
Active | The most recent policy provisioning was successful, no unwanted changes to the workload's firewall have been reported, and all VEN processes are running correctly. |
|
Active (Syncing) | Policy is being applied to the workload currently. Appears if the VEN is not currently heartbeating but the PCE has not received a goodbye event from the VEN, and the disconnect & quarantine threshold timer has not yet been reached. This is appropriate because, from the PCE's point of view, the VEN status is not stopped and the policy sync status is Syncing. A workload may also have a status of Active (Syncing) if there is a high rate of policy changes taking place, either from user provisioning actions or from VEN environmental policy changes (for example, new VENs being activated or old VENs being deactivated/unpaired). | |
Syncing | The PCE has received a goodbye event from a VEN but the decommission offline timer threshold has not yet been reached. This is appropriate because the VEN, although stopped, is not yet removed from policy and therefore has not yet been marked as Offline. When the offline timer expires, the VEN's status transitions to Stopped and its IP is removed from policy. | |
Error | One of the following errors has been reported by the VEN:
| |
Warning | At least one SecureConnect connection is in an erroneous state, and either the most recent policy provisioning was successful or no unwanted changes to the workload's firewall have been reported. | |
Suspended | The VEN is in the suspended state and any rules programmed into the workload's IP tables (including custom iptables rules) or Windows filtering platform firewalls are removed completely. No Illumio-related processes are running on the workload. | |
Staged (PCE) | The PCE has successfully sent policy to the VEN and it is staged and scheduled to be applied by the user at a later time. Staged appears only if the Policy Update Mode is configured to use Static Policy. For more information, see Policy Update Mode. | |
Staged (VEN) | The VEN has received the latest OS-level firewall rules from the PCE but has not applied them. |
VEN Health
Note
VEN health is independent from VEN status.
Possible states | Definition | PCE UI Location |
|---|---|---|
Healthy | No specific error or warning conditions related to the VEN and its operation are currently present. | VEN details page > Summary tab |
Warning | The VEN has missed 1 or more heartbeats. | |
Error |
|
VEN Status
Note
VEN status is independent from VEN health.
Possible states | Definition | UI Location |
|---|---|---|
Active | The PCE is expecting the VEN to heartbeat. | VEN details page > Summary tab |
Suspended | Either the VEN was suspended from the CLI and reported it to the PCE, or the user marked the VEN as suspended in the PCE UI. For more information, see VEN Suspension. | |
Stopped | The VEN has sent a goodbye message to the PCE and the time specified in the Offline Timer has elapsed. The VEN's IP address is removed from policy. On the Workload list page, the "Connectivity" column is changed to "Status." On the Workload details pages, "VEN Connectivity" is changed to "VEN Status." |
See Also
Monitor and Diagnose PCE Health