VEN Suspension
If users are not able to reach an app on a workload, you can suspend the VEN to see if the VEN was causing the issue. The VEN suspension feature allows you to isolate a VEN on a workload to troubleshoot any communication issues with that workload, and to determine if the VEN is the cause of the anomalous behavior.
Important
Security Implications: When the VEN is suspended, the workload firewall rules are removed leaving the VEN open and all traffic is allowed.
About VEN Suspension
When a VEN is suspended, the following is true:
Any rules programmed into the workload's iptables (including Custom iptables rules), Windows Filtering Platform (WFP), or ipfilter, or pf firewalls are removed completely, and all VEN software processes are shut down.
The VEN connectivity and policy sync status are changed to Suspended.
The VEN informs the PCE that it is in the suspended state. If the PCE does not receive this notification, you must mark the workload as Suspended in the PCE web console.
If the PCE does not receive the VEN suspension notification and you do not mark the VEN as suspended in the PCE, after one hour, the PCE assumes the workload is offline and removes it from the policy, which effectively isolates the workload from the network. For example, users will not be able to reach apps on the workload.
Workloads communicating with the suspended VEN continue to have their rules programmed into iptables or WFP.
The SecureConnect policy continues to be in effect while the VEN is suspended.
An organization event (
server_suspended) is logged. This event is exportable to CEF/LEEF and has a severity of WARNING.
Properties of a suspended VEN:
The workload continues to appear in the PCE in the workloads list page and Illumination map.
You can unpair a workload while its VEN is suspended.
You can change the policy state of the workload in the PCE Web Console while the VEN is suspended.
When the VEN is unsuspended, the new policy state is applied.
Heartbeats or other communication is not expected, but if one is received, any communication is logged by the PCE.
If the PCE is rebooted, the VEN remains suspended.
When a VEN is unsuspended:
The PCE is informed that the VEN is no longer suspended and can now receive policy from the PCE.
If existing Rules affect the unsuspended workload, the PCE will reprogram those Rules.
An organization event (
server_unsuspended) is logged. This event is exportable to CEF/LEEF and has a severity of WARNING.The workload will revert to its policy state prior to Suspended.
Custom iptables Rules are configured back into the iptables.
You can manage VEN suspension by using these features of the Illumio Core:
The REST API
For more information on this method, see "VEN Operations" in the REST API Developer Guide.
The command line
The PCE web console
For more information, see Mark VEN as Suspended Using the PCE Web Console in this topic.
Linux VEN: Back Up Custom iptables/NAT Rules
Note
Before suspending a Linux VEN, back up the workload PCE custom iptables filter or NAT rules.
After a workload is suspended, restore the rules on the workload because all custom iptables filter or NAT rules will have been removed from the workload.
Suspend and Unsuspend Commands
Platform | Action | Command | Notes |
|---|---|---|---|
Linux/Unix |
| $ illumio-ven-ctl suspend Suspending the VEN... The VEN has been suspended. PCE was notified. $ illumio-ven-ctl unsuspend Unsuspending the VEN... The VEN has been unsuspended. PCE was notified. | On Linux, be sure to backup your custom configuration. |
Windows |
| <VEN Installation Directory>\illumio-ven-ctl.exe suspend Suspending the VEN... The VEN has been suspended. PCE was notified. <VEN Installation Directory>\illumio-ven-ctl.exe unsuspend Unsuspending the VEN... The VEN has been unsuspended. PCE was notified. |
Mark VEN as Suspended Using the PCE Web Console
In addition to using the command explained in the previous section, you can mark a workload as Suspended using the PCE web console.
Note
Marking a workload as Suspended in the PCE web console does not actually suspend the VEN. It should only be used if the VEN went offline before it could be suspended. Marking the workload as Suspended is a way to keep the PCE from removing the VEN from the policy and isolating it from the rest of the network.
To mark a VEN Suspended:
Go to Servers & Endpoints > Workloads.
Click the VENs tab.
Click the name of the VEN you want to mark as suspended.
On the VEN's detail page, click Mark as Suspended.
Click Suspend to confirm the VEN suspension.
The number of suspended workloads is displayed at the top of the page and the suspended workload is displayed on the Workloads page with a red "Suspended" icon.
To clear a VEN's Suspension status:
Go to Servers & Endpoints > Workloads.
Click the VENs tab.
Click the name of a VEN marked as suspended that you want to mark as unsuspended.
On the VEN's detail page, click Clear Suspension.
Click Clear to confirm.
Disable VEN Suspension on Workloads
You can disable the ability to suspend a VEN on a workload. To disable the VEN suspension feature, define the following environment variable for the VEN. How you set the variable varies by VEN platform. See the procedures to set the environment variable for each platform.
Environment Variable | Values |
|---|---|
| 1 – Disable VEN suspension 0 – VEN suspension is enabled |
Note
Disabling VEN suspension is not supported for Illumio Secure Cloud customers.
Linux VENs
Before installing or upgrading the Linux VEN, enter the following command line syntax to set the environment variable:
# VEN_NO_SUSPEND=1 <ven_install_or_upgrade_command>Examples:
# VEN_NO_SUSPEND=1 rpm -i <illumio-ven-pkg>.rpm
# VEN_NO_SUSPEND=1 dpkg -i <illumio-ven-pkg>.deb
# VEN_NO_SUSPEND=1 rpm -U <illumio-ven-pkg>.rpm
Windows VENs
Disabling the suspend command:
<ven_installation_filename>.exe <options> VEN_NO_SUSPEND=1
Available options include:
/install/log logfile.log/quiet
Example:
ven_install_filename.exe /install EN_NO_SUSPEND=1
AIX VENs
Before installing or upgrading the AIX VEN, enter the following command line syntax to set the environment variable:
# VEN_NO_SUSPEND=1 <ven_install_or_upgrade_command>Example:
# VEN_NO_SUSPEND=1 installp -acXgd <path_to_bff_package> illumio-ven
Solaris VENs
When you install the Solaris VEN by interactively responding to installer prompts, enter n at the following prompt:
"Do you want to disable VEN suspend? [y,n] ", enter as required : y - disable, n - default/no-action
When you use the template file in the VEN package to pre-load responses to installer prompts, copy the following file:
illumio-ven/root/opt/illumio_ven/etc/templates/response
Change the copied file in the following way:
/usr/xpg4/bin/sed 's/^VEN_NO_SUSPEND=0/VEN_NO_SUSPEND=1/g’ \ < illumio-ven/root/opt/illumio_ven/etc/templates/response \ > illumio-ven/root/opt/illumio_ven/etc/templates/response.custom