Illumio Core 25.2.10 Install, Configure, Upgrade

Must download VEN software package (RPM) and install and activate using the VEN CTL

For RHEL 5 VENs, only the VEN CTL installation and activation methods are supported (see Linux: Install and Upgrade with CLI and VEN CTL). Download the VEN software package (illumio-ven-pkgs) from the Illumio Support portal. VEN installation using the VEN Library on the PCE is not supported.

On VEN release 24.2.20, VEN activation fails if ipset userspace binary isn't installed on the RHEL 5 workload

The ipset userspace binary is not installed by default on RHEL 5 workloads. If the binary is missing while attempting to activate a 24.2.20 VEN on a RHEL 5 VEN workload, activation fails and the following Runtime Environment error occurs. To remedy, you must install the provided ipset userspace binary on the workload and then try again to activate the VEN:

 Cannot find ipset command. Please install /opt/illumio_ven/etc/extras/pkgs/ipset-<version>.x86_64.rpm

On VEN releases from 23.2.10 to 24.2.10, VEN activation doesn't fail if the ipset userspace binary isn't detected on the workload but a failure may occur later when the VEN tries to apply policy.

Incompatible ipset modules may have been loaded on the workload

If one or more incompatible ipset modules is loaded on the RHEL 5 workload, the VEN enters an error state and the following error message appears in the platform.log. To remedy, you must remove the incompatible ipset module from the workload.

ERROR:: ilo_ipsets load returned non-zero. /opt/illumio_ven/bin/ilo_ipsets load -w workload/ .... /new 2>&1 insmod: error inserting '/opt/illumio_ven/etc/extras/modules/el5uek/5.11/ipset/ip_set_iphash.ko': -1 Unknown symbol in module Cannot load ip_set_iphash module. Cannot load ip_set_iphash module. Please unload incompatible modules ip_set.

Missing ipset modules can cause policy application failure

On all VEN releases that support RHEL 5 (23.2.10 and later), applying policy fails if compatible ipset modules are missing. Beginning with VEN release 24.2.20, the VEN tries to resolve the failure if it occurs. VEN release 24.2.20 also provides the correct ipset modules for Oracle Linux 5 UEK.

VEN tampering may occur if the iptables service loads rules in iptables at boot

Illumio recommends that you disable the iptables service before you install the VEN on RHEL workloads. This is necessary because the iptables service executes a script that loads rules in /etc/sysconfig/iptables at boot, which is undesirable for two reasons: (1) non-VEN rules may conflict with rules the VEN applies to the firewall, and (2) the VEN may regard these non-VEN rules as firewall tampering.

The VEN cannot enforce FQDN policy (DNS-based rules).

The VEN doesn't support IPv6 or IPv6 ipsets

The VEN doesn't support byte counting.

AdminConnect (also known as Machine Auth) is not supported.

To run the VEN on RHEL6/7, Ubuntu, Debian, SUSE versions, the VEN supports using only hash:net for ipset, used to store a single IP address or the CIDR.

To run the VEN on RHEL 5.x, for every ipset, you can select from two ipset types: iphash, used to store a single IP address, or nethash, used to store a CIDR.

The VEN uses iphash and nethash set types. Both have a limit of 65536 elements.

iphash can store only single IP addresses; nethash can store only CIDRs.

The VEN release 23.2.10 and later uses hash:ip to store single IP addresses and hash:net to store CIDRs.