Skip to main content
McAfee Enterprise MVISION Cloud

Troubleshooting CWPP Issues

Cross Account usage of single PoP 
  • Agent and PoP VPC are in different accounts and the same region. AWS Admin must allow list the account before creating an endpoint by using helperscript. 
  • Allow listing the account is a one-time process that can be performed by an admin. 
Cross Region usage of single PoP 
  • Agent and PoP VPC are in different regions and the same or different account.  
  • Creation of Endpoints for CWPP services are supported within the same Region only. It is not supported to create an endpoint between a VPC and a service in a different Region. 
Locating error logs 

Error details are available in the install log located at /opt/McAfee/cwpp/pop/install.log, which gets created as soon as installation initiates. 

  • Check /var/log/cloud-init-output.log for pop installation logs, which is initialized by cloud. 
  • Check CWPP service logs in the EFS folder (/opt/McAfee/cwpp/pop/PoPDeployment/PoPCreation/aws/EFS/)  
Possible errors during pre-requisite cft deployment

For prerequisite CFT: 

  • The maximum number of VPCs has been reached. (Service: AmazonEC2; Status Code: 400; Error Code: VpcLimitExceeded) 
  • When VPC limit exceeded in the account 
Possible errors during PoP CFT deployment: 
  • Failed to configure auto-scaling group. Refer to the install log for more details. 
  • Check if the auto-scaling group name, for example, popname, is empty or already taken. 
  • Failed to get registration token. Refer to the install log for more details. 
  • Check if Client Credentials for IAM Registration Token are null. 
  • Failed to configure EFS. Refer to the install log for more details. 
  • Check if EFS ID is in an available state or validate if EFS Mounting is done properly. 
  • Failed to configure microk8s installation. Refer to the install log for more details. 
  • Failed to start the installation. Refer to the install log for more details. 
  • Check if all the parameters are sent properly in the CFT. 
  • PoP CFT installation failed due to an unknown reason. Refer to the install log for more details. 
PoP failed to send health data to MVISION Cloud

The following are possible when PoP failed to send health data: 

  • Security Group rules are not updated.
  • Verify the Secure Gateway rules associated with the PoP against these and change accordingly. 
  • Security Group is not tagged with the Kubernetes tag.
  • Add kubernetes.io/cluster/{PoPName} tag to security group. 
  • Exceeded the rules configured in the SG as it has already exhausted the allowed rules limit. 
  • Verify with the Secure Gateway rules against these and change accordingly. (Need to attach finalized Secure Gateway rules list.) 
  • Provision of Load balancer failed.
  • Check the quota limits of available load balancers. 
  • Provisioning of the VPC endpoint service failed.  
  • Verify if load balancers are created properly. 
  • Subnets are not properly tagged with the Kubernetes tag 
  • Add kubernetes.io/cluster/{PoPName} tag to subnet. 
PoP reporting as unhealthy

Heartbeat payload of PoP infrastructure and services health details are sent to display the latest status for PoP in MVISION Cloud. PoP sends unhealthy status due to the following reasons: 

  • CWPP PoP services are not up and running. 
  • The primary instance is not running or not up. 
  • Troubleshooting steps to make PoP healthy are provided. 

  

  • Check pop manager payload 

 

PoP Secondary node not getting added
  • If all the 10 registration tokens are used and on the 11th time when we ask to create a new secondary node, it will not be added. 
  • Manually run the following commands to generate a fresh token from the primary and add it to the secondary instance. 

 

PoP Upgrade from 5.4.0 HF t0 5.4.1 reports PoP status as Unhealthy with the below observations:

  • PoP Manager is not in running state
  • PoP reported as Unhealthy

Follow the below steps to resolve the issue

Step 1

  1. Update popm configmap file with correct MVC base URLs
  2. Follow this steps only for EU Production Tenants
    1. sudo microk8s kubectl edit configmap popm-config -n cwpp
    2. update mvc_base_urls with below mentioned URLs & save the file
      mvc_base_urls={"cwpp":"https://www.myshn.eu/","logcollector":"https://eupoccollector.myshn.net/","cspm":"https://cspm.myshn.eu/"}
  3. Follow this steps only for CA Production Tenants
    1. sudo microk8s kubectl edit configmap popm-config -n cwpp
    2. update below mvc_base_urls as mentioned below & save the file
      mvc_base_urls={"cwpp":"https://www.myshn.ca/","logcollector":"https://pstat.myshn.ca/","cspm":"https://cspm.myshn.ca/"}

Step 2 (Based on the Vendor Type)

Azure PoP:

  1. SSH to PoP Primary Instance and run below commands
  2. Run the cmd- sudo microk8s kubectl delete daemonset.apps/cwpp-connector -n cwpp
  3. Go to /opt/McAfee/cwpp/pop/PoPDeployment/PoPCreation/azure/upgrade/azure
  4. run cmd
    • sudo kubectl apply -f dxl-deployment.yaml -n cwpp
  5. run sudo microk8s kubectl get pods -n cwpp
    • check all the cwpp-connector pods are recreated (Monitor Pod Age)
    • check all the pods are in running/completed state
    • wait for 5min and check the pop-manager pod is in completed state
  6. Log into dashboard page, navigate to PoP management Page & select the respective PoP in Azure
  7. Check the PoP RHS card for build versions
    • CWPP CICD ver- 1.0.0.137
    • CWPP Connector ver- 1.0.0.210
    • CWPP Logger ver- 1.5.1

GCP PoP:

  1. SSH to PoP Primary Instance and run below commands
  2. Run the cmd- sudo microk8s kubectl delete daemonset.apps/cwpp-connector -n cwpp
  3. Go to /opt/McAfee/cwpp/pop/PoPDeployment/PoPCreation/gcp/upgrade/gcp
  4. run cmd
    • sudo kubectl apply -f dxl-deployment.yaml -n cwpp
  5. run sudo microk8s kubectl get pods -n cwpp
    • check all the cwpp-connector pods are recreated (Monitor Pod Age)
    • check all the pods are in running/completed state
    • wait for 5min and check the pop-manager pod is in completed state
  6. Log into dashboard page, navigate to PoP management Page & select the respective PoP in GCP
  7. Check the PoP RHS card for build versions
    • CWPP CICD ver- 1.0.0.137
    • CWPP Connector ver- 1.0.0.210
    • CWPP Logger ver- 1.5.1
  • Was this article helpful?