Resolve migration prerequisite check issues
Text in CLI |
Description |
How to resolve (log data about migration prerequisite checks are found in: CentOS 7 Migration: /var/log/algosec-software-upgrade.log For CM migration: /var/log/algosec_toolbox/algosec_conf.log) |
---|---|---|
Version incompatible between nodes |
Verifies that all installed products are in the same version + build on both source and migration target. |
Update the source A32.00 build files that match build versions installed on the migration target. For details, see raw version data and valuesfor comparison in the log. |
All ASMS services on source node ([source node IP]) must be OK prior to migration |
Checks status of services on migration target. |
First, try to restart the services. Run for each service: algosec_test_service -n <SERVICE NAME> -f for example, If services do not restart, contact AlgoSec support. |
The following nodes are unreachable from |
Checks if all remote nodes are reachable from migration target. |
Open ports. See Required port connections. For details, see Failed to check connectivity between migration IP {} and dist node {} in the log. |
Verifies that migration target machine is standalone. |
The target machine must be a clean machine deployed directly from AlgoSec image installation. |
|
License prerequisite check failed with: License file is not installed |
Verifies license on migration target IP. |
Install license on target machine. See Migration target license and ASMS licensing |
License prerequisite check failed with: The target license includes fewer components |
Verifies license on migration target IP. |
Contact AlgoSec to add missing components to the target license. Insufficient license may cause problems. For details, Localhost license modules: and Migration [migration IP] license modules: see in the log. |
Verifies that traffic on ports 443 (https), 5432 (postgresql), and 9595 (HA/DR) is not filtered between source & migration target. |
Check with your IT department that firewalls allow SSH traffic on these ports (bi-directional). Tip: You can check if the filter has been removed by:
nmap -n -p <port> <ip target> 2>&1| grep -q filtered && echo "Traffic is blocked" || echo "Traffic is allowed"
nmap -n -p <port> <ip source> 2>&1| grep -q filtered && echo "Traffic is blocked" || echo "Traffic is allowed" This only works when this prerequisite finds an issue with the port |
|
Traffic from target (x.x.x.x) to source (x.x.x.x) is NATed (x.x.x.x) or Traffic from source (x.x.x.x) to target (x.x.x.x) is NATed (x.x.x.x) |
Checks for NATed traffic is between source and target. |
Contact your IT department to disable any NAT configuration between source and target machines.
|
Low bandwidth speed found between local node and [machine IP]: (%s) Mbit/s. Average speed: 160 Mbit/ss Mbit/s Minimum required: 64Mbit/s Mbit/s: |
Checks bandwidth between source and target. |
We recommend bandwidth of at least 1Gbit/s (125MB/s). Minimum allowable is 64Mbit/s (8MB/s). Contact your IT department to determine and adjust, if necessary, your bandwidth between the source and the target machines. Tip: Use the following commands to check bandwidth:
|
Checks PostgreSQL files. |
Reassign owner of all files in the /var/lib/pgsql/data/ directory to user postgres. Run the following code: algosec_test_service -n postgresql -k chown -R postgres:postgres /var/lib/pgsql/data/ algosec_test_service -n postgresql -s |
|
Target machine [IP] could not connect to NAS server [IP] on mount path [/data/...] via NFS4. |
Check NAS server connectivity. | Check connectivity and make sure NAS is accepting connections from the target machine. |
Target machine [IP] has insufficient permission level to NAS server [IP] on mount path [/data/...] via NFS4. |
Checks target machine server permissions level to NAS server. | Configure NAS server to allow write permissions for the target machine. |
NAS server is defined on target but not on source node. |
Checks target machine connection to NAS when no NAS is defined for the source. | Disconnect target node from NAS. |
The mail server [IP] on port [PORT] is unreachable from the target node [IP] |
Checks connectivity from target node to mail server. |
Check with your IT department that traffic is allowed from the target machine to the defined mail server in ASMS. Tip: To check the connectivity, run the following: echo 'exit' | timeout --signal=9 5 telnet <IP> <PORT> 2>&1 | grep -q 'Connected' && echo "Traffic to mail server is allowed" || echo "Traffic to mail server is blocked" |
Partition (/data) on the remote node [IP] must have at least [amount] MB free space. This includes the amount of space used on the primary node, plus an additional [amount]%. You currently only have [amount] MB free space
Insufficient disk space on partition (/data) on the remote node [IP]. You currently have [amount] MB free space. Minimum required: at least [amount] MB free space. |
Checks disk space on target node. |
Target node must have at least the same disk space as the source node. Increase disk space as required. For VMs, see Increase disk space of a new AlgoSec VM. |
Checks target node disk speed. |
We recommend disk write speed of at least 300MB/s. Minimum allowable is 80MB/s. Contact your IT department to determine and adjust, if necessary, your node disk speed. Tip: Use the following command to check disk speed: dd if=/dev/zero of=/data/test-big-file.bin bs=786432000 count=1 oflag=dsync 2>&1 ; rm -f /data/test-big-file.bin An example of the output is: 786432000 bytes (786 MB) copied, 0.624098 s, 1.3 GB/s
Tip: If your target machine is an AlgoSec VM, make sure you are following VM best practices. See Best practices for your AlgoSec VMware Deployment . If you make changes, check your disk speed again to see if it has improved. Tip:If your target machine is an AlgoSec AMI, make sure you are using recommended deployment. See Deploy ASMS on AWS. |
|
Detected SSH rate limit through firewall(s) on connection betweensource (x.x.x.x) and target (x.x.x.x) |
Checks SSH traffic between source and target machine. |
Ask your IT department to analyze event logs of firewall(s) to determine which encountered an SSH Brute Force Attack. Disable SSH rate limit on these firewall(s) during the migration procedure. |
Postgresql service is not running on source node [IP]. Reports sync cannot continue. |
Checks reports sync utility readiness. |
Restart postgresql service on source and try syncing reports again. Tip: to restart postgresql service, run: systemctl restart postgresql.service |